Much is written by and about state, local, and international government efforts to address cybersecurity policy issues. This report and the CRS reports listed below link to authoritative sources that address many of the most prominent issues. It includes resources and studies from government agencies (federal, state, local, and international), think tanks, academic institutions, news organizations, and other sources. These sources are listed in reverse chronological order, with an emphasis on materials published in the past several years.
This report is intended to serve as a starting point for congressional staff assigned to cover cybersecurity policy issues. It includes annotated descriptions of reports, websites, or external resources related to
Table 1, state, local, and tribal governments, including selected state status reports, surveys, and guidance documents
Table 2, international, including international laws, legislation, and agreements, supply chain vulnerabilities, and intellectual property theft
Table 3, international—China, including espionage, cybercrime, and national security issues
Table 4, international—Europe, European Union, and United Kingdom
The following CRS reports comprise a series that compiles authoritative reports and resources on these additional cybersecurity topics:
CRS Report R44405, Cybersecurity: Overview Reports and Links to Government, News, and Related Resources, by Rita Tehan
CRS Report R44406, Cybersecurity: Education, Training, and R&D Authoritative Reports and Resources, by Rita Tehan
CRS Report R44408, Cybersecurity: Cybercrime and National Security Authoritative Reports and Resources, by Rita Tehan
CRS Report R44410, Cybersecurity: Critical Infrastructure Authoritative Reports and Resources, by Rita Tehan
CRS Report R43317, Cybersecurity: Legislation, Hearings, and Executive Branch Documents, by Rita Tehan
CRS Report R43310, Cybersecurity: Data, Statistics, and Glossaries, by Rita Tehan
Much is written by and about state, local, and international government efforts to address cybersecurity policy issues. This report and the CRS reports listed below link to authoritative sources that address many of the most prominent issues. It includes resources and studies from government agencies (federal, state, local, and international), think tanks, academic institutions, news organizations, and other sources. These sources are listed in reverse chronological order, with an emphasis on materials published in the past several years.
This report is intended to serve as a starting point for congressional staff assigned to cover cybersecurity policy issues. It includes annotated descriptions of reports, websites, or external resources related to
The following CRS reports comprise a series that compiles authoritative reports and resources on these additional cybersecurity topics:
Much is written by and about state, local, and international government efforts to address cybersecurity policy issues. This report links to authoritative sources that address many of the most prominent issues. It includes resources and studies from government agencies (federal, state, local, and international), think tanks, academic institutions, news organizations, and other sources. These sources are listed in reverse chronological order, with an emphasis on materials published in the past several years.
This report is intended to serve as a starting point for congressional staff assigned to cover cybersecurity policy issues. It includes annotated descriptions of reports, websites, or external resources related to:
Table 1. State, Local, and Tribal Governments
(including selected state status reports, surveys, and guidance documents)
|
Title |
Source |
Date |
Notes |
|
National Conference of State Legislatures |
Continuously Updated |
At least 41 states have introduced more than 240 bills or resolutions related to cybersecurity. |
|
|
Massachusetts Consumer Affairs and Business Regulation |
Continuously Updated |
The state of Massachusetts made public an online archive of data breach notifications affecting Massachusetts residents from 2007 through 2016. The state's Data Breach Security Law, in effect since October 31, 2007, requires businesses and others that own or license personal information of state residents to notify affected residents, the Office of Consumer Affairs and Business Regulation and the office of the attorney general when they know or have reason to know that the personal information of a resident was acquired or used by an unauthorized person, or used for an unauthorized purpose. |
|
|
Merit Network |
Continuously Updated |
Enables individuals and organizations to develop detection and reaction skills through simulations and exercises. This is a partnership between the state of Michigan, Merit Network, federal and local governments, colleges and universities, and the private sector. |
|
|
State of Michigan |
Continuously Updated |
MiC3 is a group of trained cybersecurity experts who volunteer to provide expert assistance to enhance the state's ability to rapidly resolve cyber incidents when activated under a governor declared state of emergency. The group includes volunteers from government, education, and business sectors. |
|
|
National Association of State Chief Information Officers (NASCIO) |
Continuously Updated |
Links to CIO contact information, professional biographies, state governments, and state statistics. |
|
|
Getting Started for State, Local, Tribal, and Territorial (SLTT) Governments |
United States Computer Emergency Readiness Team (US-CERT) |
Continuously Updated |
A list of resources available to state, local, tribal, and territorial governments that have been aligned to the five Cybersecurity Framework function areas. Some resources and programs align to more than one function area. |
|
Pew Charitable Trusts |
November 10, 2017 |
The number of U.S. states that have purchased cyber insurance has grown from 10 in 2015 to 19 in 2016, according to information gathered from state CIOs. The policies usually cover costs associated with investigations and data restoration, as well as customer notification, legal and public relations services, and credit monitoring. |
|
|
National Governors Association |
November 6, 2017 |
The U.S. National Governors Association (NGA) and the National Association of State Chief Information Officers (NASCIO) have asked the Office of Management and Budget's (OMB's) Office of Regulatory Affairs to standardize federal audit processes and make cyber security requirements consistent across federal agencies. NGA and NASCIO say that complying with the various requirements unnecessarily consumes states' resources. (2 pages) |
|
|
2017 U.S. State and Federal Government Cybersecurity Research Report |
SecurityScorecard |
August 24, 2017 |
The report analyzed and scored the current security posture of 552 small, medium and large U.S. government organizations with more than 100 public-facing IP addresses, to determine the state of government cybersecurity programs today. (24 pages) |
|
State of Connecticut |
July 10, 2017 |
Governor Malloy announced a new cyber security strategy, a seven-principle approach to safety on the web. The strategy's principles are leadership, literacy, preparation, response, recovery, communication, and verification. |
|
|
International City/County Management Association and Univ. of Maryland |
April 19, 2017 |
A survey of local government chief information officers finds that insufficient funding for cybersecurity is the biggest obstacle in achieving high levels of cyber safety. Inadequate budgets are the largest obstacle for local government chief information officers in obtaining the highest level of cybersecurity for their organization, according to a survey. (12 pages) |
|
|
26 States Have Adopted Ethical Duty of Technology Competence |
Law Sites |
December 28, 2016 |
26 states now require lawyers to stay abreast of changes in legal technology. |
|
Deloitte & Touche and National Association of State CIOs |
October 2016 |
Each year, the National Association of State Chief Information Officers (NASCIO) conducts a survey of state chief information officers (CIOs) to identify and prioritize the top policy and technology issues facing state government. State CIOs ranked cybersecurity as their top priority in 2014, 2015, and 2016. Considering that it seems that cybersecurity breaches in both the public and private sector are consistently splashed across the news, this is understandable. In the 2016 Deloitte-NASCIO Cybersecurity Study, we asked state chief information security officers (CISOs) about the status of cybersecurity in their states, as well as their perspectives and insights. We have compiled and highlighted those findings here. Importantly, we have found that the message that 'cybersecurity is everyone's responsibility' is seeing some traction. (32 pages) |
|
|
Institute for Defense Analyses |
June 2016 |
While States are pursuing the resolution of cyber issues across many fronts, a significant gap remains between the ability to gather and share information and intelligence and the mitigation of breaches that have already occurred. This document is intended to provide a place to start for State leaders who envision an ability to operationalize intelligence and information in a way that can stay ahead of the curve when it comes to cyberattacks. (74 pages) |
|
|
Connecticut Public Utilities Regulatory Authority |
April 6, 2016 |
The report offers new solutions for enhanced cybersecurity with the electricity, natural gas, and water sectors. The report and action plan are a follow-up to a 2014 PURA report, which presented the state with a roadmap to support cybersecurity defenses. (27 pages) |
|
|
California Attorney General |
February 2016 |
The report provides an analysis of the data breaches reported to the California attorney general from 2012 to 2015. In nearly all cases, the breaches exploited vulnerabilities for which fixes had been available for more than a year. California state law states, "A business that owns, licenses, or maintains personal information about a California resident shall implement and maintain reasonable security procedures and practices appropriate to the nature if the information." The report states that organizations that do not implement the Center for Internet Security's (CIS) 20 Critical Security Controls would be found to demonstrate "a lack or reasonable security." (76 pages) |
|
|
State of California |
August 31, 2015 |
The governor issued an executive order that created the California Cybersecurity Integration Center (Cal-CSIC). "The Integration Center's primary mission will be to reduce the likelihood and severity of cyber incidents that could damage California's economy, its critical infrastructure, or public and private sector computer networks in our state," the order said. Cal-CSIC will work with the existing California Threat Assessment System and the U.S. Department of Homeland Security (DHS) to improve information sharing and communication with local, state, and federal agencies. |
|
|
National Association of Attorneys General |
July 7, 2015 |
In a letter to House and Senate leaders, state attorneys general are urging Congress not to pass federal data breach legislation that preempts state laws. In the letter, the 47 state and territorial attorneys general urge that any legislation preserve states' abilities to enforce their own data security laws and pass requirements stricter than federal standards. |
|
|
Unmanned Aerial Systems, Governance and State CIOs: on the Radar |
NASCIO |
May 27, 2015 |
State IT officials will be saddled with the consequences if drones—and the data they collect—are not digitally secure. The brief urges state CIOs to make cybersecurity a priority as they consider what drone policies to recommend to state leaders and whether to advocate for an authoritative or advisory role for the CIO's office on state drone policy. (8 pages) |
|
State of Rhode Island |
May 7, 2015 |
The governor of Rhode Island signed an executive order establishing a new cybersecurity commission to create an action plan for protecting the state's vital infrastructure and recommend ways state government can promote the growth of a skilled cybersecurity workforce and business sector. The commission will consist of state-agencies' representatives and other public-sector entities; research institutions; and the private sector in the defense, financial services, IT, and energy sectors. (3 pages) |
|
|
[Virginia] Governor McAuliffe Announces State Action to Protect Against Cybersecurity Threats |
Virginia Governor's Office |
April 20, 2015 |
Governor Terry McAuliffe announced that the Commonwealth of Virginia is establishing the nation's first state-level Information Sharing and Analysis Organization (ISAO). Governor McAuliffe launched the Virginia Cyber Security Commission and "Cyber Virginia" by Executive Order no. 8 on February 25, 2014. |
|
Brookings Institution |
March 5, 2015 |
All states, except Alaska, publish an IT strategic plan, and Brookings did a content analysis of these plans to assess each state's cybersecurity positioning. "Our purpose in conducting this analysis was to determine how well states were conducting this 'due care.' As expected, our findings were mixed. We were able to identify two states that had strong efforts and performed better than their peers. We consider Idaho and Mississippi to be truly outstanding in their focus on cybersecurity." |
|
|
NASCIO |
January 22, 2015 |
NASCIO states that cybersecurity is its top priority for the federal government to address this year—including through coordination with states on combating cyberthreats. (5 pages) |
|
|
100 Resilient Cities and Microsoft Announce Partnership to Help Cities Build Cybersecurity |
100 Resilient Cities and Microsoft |
January 15, 2015 |
100 Resilient Cities, pioneered by the Rockefeller Foundation, entered a partnership with Microsoft Corporation to help cities build cybersecurity strategies and combat online threats. Microsoft will provide the following to select 100RC member cities: best practices and resources for cities to develop a cybersecurity strategy as part of their resilience program; cybersecurity experts who will lead workshops to help cities prioritize their cyber needs; and facilitation of cybersecurity knowledge exchanges at 100RC-organized city workshops. |
|
State Governments at Risk: Time to Move Forward: 2014 Deloitte-NASCIO Cybersecurity Study |
Deloitte and Touche and NASCIO |
October 2014 |
A majority of elected officials in state governments are confident in their abilities to defend against cyberthreats, but only one-quarter of state chief information security officers (CISOs) feel the same way, according to a new survey. The survey of 49 state CISOs or their equivalents and 186 other state officials cited barriers to cybersecurity included low budgets and difficulty recruiting top talent. Three-quarters of the CISOs surveyed said lack of sufficient funding is a major barrier to addressing cyberthreats, although almost half said cybersecurity budgets have increased year over year. (32 pages) |
|
Center for Digital Government (CDG) |
September 2, 2014 |
Every two years, the CDG, the research and advisory arm of Government Technology's parent company eRepublic, evaluates state government's ability to improve internal processes and better serve citizens. |
|
|
Connecticut Public Utilities Regulatory Authority |
April 14, 2014 |
The document is a plan for Connecticut's utilities to help strengthen defense against possible future threats, such as a cyberattack. Connecticut is the first state to present a cybersecurity strategy in partnership with the utilities sector and will share it with other states working on similar plans. Among other findings, the report recommends that Connecticut commence self-regulated cyber audits and reports and move toward a third-party audit and assessment system. The report also makes recommendations regarding local and regional regulatory roles, emergency drills and training, coordinating with emergency management officials, and handling confidential information. (31 pages) |
|
|
White House |
April 2, 2014 |
The White House in March 2014 convened a broad array of stakeholders, including government representatives, local government-focused associations, private-sector technology companies, and multiple federal agency partners, at the State and Local Government Cybersecurity Framework Kickoff event. |
|
|
Framework for Improving Critical Infrastructure Cybersecurity |
National Institute of Standards and Technology (NIST) |
February 12, 2014 |
The voluntary framework consists of cybersecurity standards that can be customized to various sectors and adapted by large and small organizations. DHS announced the Critical Infrastructure Cyber Community (C3)—or "C-cubed"—voluntary program. The C3 program gives state and local governments and companies that provide critical services, such as cell phones, email, banking, and energy direct access, to DHS cybersecurity experts who have knowledge about specific threats, ways to counter those threats, and how, over the long term, to design and build systems that are less vulnerable to cyberthreats. (41 pages) |
|
State Cybersecurity Resource Guide: Awareness, Education and Training Initiatives |
NASCIO |
October 2013 |
The guide includes new information from NASCIO's state members, including examples of state awareness programs and initiatives. This additional resource of best-practice information and an interactive state map allow users to drill down to the actual resources that states have developed or are using to promote cyber awareness. It includes contact information for the CISOs; hyperlinks to state security and security awareness pages; and information describing cybersecurity awareness, training, and education initiatives. (64 pages) |
|
Cybersecurity for State Regulators 2.0 with Sample Questions for Regulators to Ask Utilities |
National Association of Regulatory Utility Commissioners |
February 2013 |
State commissions tasked with regulating local distribution utilities are slow to respond to emerging cybersecurity risks. The annual membership directory of state utility regulators lists hundreds of key staff members of state commissions throughout the country but not a single staff position had "cybersecurity" in the title. (31 pages) |
|
Government Accountability Office |
January 27, 2013 |
GAO reviewed federal coordination with state and local governments regarding cybersecurity at public-safety entities. The objective was to determine the extent to which federal agencies coordinated with state and local governments concerning cybersecurity efforts at emergency operations centers, public-safety answering points, and first-responder organizations involved in handling 911 emergency calls. GAO analyzed relevant plans and reports and interviewed officials at five agencies that were identified based on their roles and responsibilities established in federal law, policy, and plans as well as at selected industry associations and state and local governments. (41 pages) |
Source: Highlights compiled by CRS from the reports.
Note: Page counts are documents; other cited resources are web pages.
Table 2. International: General
(includes international laws, legislation and agreements, supply chain vulnerabilities, and intellectual property theft)
|
Title |
Source |
Date |
Notes |
|
Booz Allen Hamilton and the Economist Intelligence Unit |
Continuously Updated |
The Cyber Hub's content includes integral parts: an index that assesses specific aspects of the cyber environment of the G20 countries and a series of research papers that examine the implications for the business community. |
|
|
International Telecommunications Union |
Continuously Updated |
Based on questionnaire responses received by member states of the International Telecommunications Union, a first analysis of cybersecurity development in the Arab region was compiled and one for Africa is under way. The objective is to release a global status of cybersecurity for 2014. |
|
|
Explorations in Cyber International Relations (ECIR): Cyberspace and Cyber Politics |
Massachusetts Institute of Technology (MIT) and Harvard |
Continuously Updated |
ECIR is a collaborative and interdisciplinary research program that seeks to create a field of international cyber relations for the 21st century. It is designed as a theoretically rich, technically informed initiative anchored in diverse tools and methods to identify, measure, model, interpret, and analyze emergent issues, challenges, and responses. The ECIR research plan integrates social sciences, legal studies, computer science, and policy analysis. The research team brings together personnel and institutional resources from MIT and Harvard. After the conclusion of the final exercise next year, the EU will release some top-level lessons learned. |
|
NATO Cooperative Cyber Defense Center of Excellence (Tallin, Estonia) |
Continuously Updated |
The interactive research tool focuses on the legal and policy documents adopted by international organisations active in cyber security. The collection of documents is periodically updated and supported by a comprehensive system of tags that enable filtering the content by specific sub-domains. INCYDER also features descriptions and news about these selected organisations. |
|
|
NATO Cooperative Cyber Defense Center of Excellence (Tallin, Estonia) |
Continuously Updated |
The site provides links to national cyber security policy and legal documents. This includes national security and defence strategies that address cyber; national cyber/information security strategies; and relevant legal acts. It is primarily focused on NATO Nations and Partners (includes Euro-Atlantic Partnership Council (EAPC), NATO's Mediterranean Dialogue, Istanbul Cooperation Initiative (ICI), and Partners across the globe), but other national strategies are included as available. |
|
|
Pell Center for International Relations and Public Policy |
Continuously Updated |
"Leadership in a Cyber Age" is an initiative intended to help prepare America's institutional leaders for the complexities of operating in an era of cyber threat. Ongoing research seeks to identify and investigate key issues in leadership development across society and to recommend improvements so that the United States, as a society, is prepared for the threats of the modern world. |
|
|
State Department |
Continuously Updated |
S/CCI coordinates the department's global diplomatic engagement on cyber issues and serves as the department's liaison to the White House and federal departments and agencies on cyber issues. S/CCI's coordination function spans the full spectrum of cyber-related issues to include security, economic issues, freedom of expression, and free flow of information on the Internet. |
|
|
State Department |
Continuously Updated |
The ISAB provides the department with independent insight and advice on all aspects of arms control, disarmament, international security, and related aspects of public diplomacy. The board provides its recommendations to the Secretary of State. |
|
|
DHS Statement on the Issuance of Binding Operational Directive 17-01 (Kaspersky Products Ban) |
DHS |
September 13, 2017 |
DHS has issued a binding operational directive (BOD) requiring all federal agencies to cease the use of Kaspersky Lab products and services. The agencies have 30 days to identify which products are in use and then 60 days beyond that to create plans to remove them. After 90 days, agencies will need to begin the process of removing the products and services. |
|
Wired Magazine |
July 1, 2017 |
"... And the blackouts weren't just isolated attacks. They were part of a digital blitzkrieg that has pummeled Ukraine for the past three years—a sustained cyberassault unlike any the world has ever seen. A hacker army has systematically undermined practically every sector of Ukraine: media, finance, transportation, military, politics, energy. Wave after wave of intrusions have deleted data, destroyed computers, and in some cases paralyzed organizations' most basic functions. 'You can't really find a space in Ukraine where there hasn't been an attack,' says Kenneth Geers, a NATO ambassador who focuses on cybersecurity." |
|
|
Krebs on Security |
June 17, 2017 |
Conventional wisdom says one reason so many hackers seem to hail from Russia and parts of the former Soviet Union is that these countries have traditionally placed a much greater emphasis than educational institutions in the West on teaching information technology in middle and high schools, and yet they lack a Silicon Valley-like pipeline to help talented IT experts channel their skills into high-paying jobs. This post explores the first part of that assumption by examining a breadth of open-source data. |
|
|
Tainted Leaks: Disinformation and Phishing with a Russian Nexus |
Citizen Lab at the Munk School of Global Affairs at the University of Toronto |
May 25, 2017 |
Researchers have discovered an extensive international hacking campaign that steals documents from its targets, carefully modifies them and repackages them as disinformation aimed at undermining civil society and democratic institutions. The investigators say the campaign shows clear signs of a Russian link. The report also demonstrates overlap with cyberattacks used in the U.S. and French presidential elections, which American and European intelligence agencies and cybersecurity companies have attributed to hacking groups affiliated with the Russian government. |
|
Toward a Global Norm Against Manipulating the Integrity of Financial Data |
Carnegie Cyber Policy Initiative |
March 28, 2017 |
This white paper proposes that the G20 heads of state should explicitly commit not to manipulate the integrity of data and algorithms of financial institutions and to cooperate when such incidents occur. (20 pages) |
|
United States Key Deliverables for the 2016 North American Leaders' Summit (U.S.-Canada-Mexico trilateral discussion) |
White House |
June 29, 2016 |
(Scroll down to the Cyber Cooperation section). Leaders affirm that no country should conduct or knowingly support (1) online activity that intentionally damages critical infrastructure or otherwise impairs the use of critical infrastructure to provide services to the public; (2) activity intended to prevent national computer security incident response teams (CSIRTs) from responding to cyber incidents, or use CSIRTs to enable online activity that is intended to do harm; and (3) cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to its companies or commercial sectors; and that (4) every country should cooperate, consistent with its domestic law and international obligations, with requests for assistance from other states in mitigating malicious cyber activity emanating from its territory. |
|
Global Commission on Internet Governance |
June 22, 2016 |
The report recommends strict legal controls on the aggregation of personal metadata, net neutrality, open standards, and the mandatory public reporting of high-threshold data breaches. It also offers opinions on areas such as the sharing economy, blockchains, the Internet of Things, IPv6, and DNSSEC. (138 pages) |
|
|
An American Strategy for Cyberspace: Advancing Freedom, Security, and Prosperity |
American Enterprise Institute |
June 14, 2016 |
The report puts forward a strategic plan grounded in the realities of cyberspace itself, including the rapid pace of change; the importance of economies of scale and scope; the extent to which it is integrated into modern economies, cultures, and political structures; and its inherently global nature. Like our analysis, our recommendations are organized into four areas: Internet Freedom and Human Rights, International Trade and Digital Commerce, Cybercrime and Law Enforcement, and Critical Infrastructure and Cyber Defense. (83 pages) |
|
World Economic Forum |
January 14, 2016 |
In this annual survey, almost 750 experts assessed 29 separate global risks for both impact and likelihood over a 10-year time horizon. Technological risk, where the highest ranking risk is cyberattack, ranked 11th in both likelihood and impact. The report features 13 trends. This year, climate change, rising income and wealth disparity, and the rise of cyber dependency are the three trends assessed as most important in shaping global development in the next 10 years. (103 pages) |
|
|
U.S. Army War College Strategic Studies Institute |
September 2015 |
An overview of four different national approaches to cyber defense is discussed: those of Norway, Estonia, Germany, and Sweden. The paper provides a useful guide for engagement with the relevant governmental and other organizations in each of these countries. It compares and contrasts the advantages and drawbacks of each national approach. (65 pages) |
|
|
National Institute of Standards and Technology (NIST) |
August 10, 2015 |
The report calls for a White House-led oversight body, with the Department of Commerce (DOC) acting as a "subordinate interagency working group" working on behalf of the President. Major policy decisions would be brought to the White House. Federal agencies should make long-term commitments to support international cybersecurity standards by assigning staff specialists to work with standards development organizations. In addition, NIST suggests prioritizing cybersecurity standards that minimize privacy risks. (104 pages) |
|
|
Trend Micro (Forward Looking Threat Team) |
July 28, 2015 |
The Russian underground is a mature ecosystem that covers all aspects of cybercriminal business activities and offers an increasingly professional underground infrastructure for the sale of malicious goods and services. There is increasing professionalization of the crime business that allows cheaper prices to dominate sales and thereby make it easy and very affordable for anyone without significant skill to buy whatever is needed to conduct criminal dealings. (41 pages) |
|
|
OAS and FIRST Sign Agreement to Improve Hemispheric Response to Cyber Incidents |
Organization of American States (OAS) |
May 28, 2015 |
OAS and the Forum of Incident Response and Security Teams (FIRST) plan to cooperate on cybersecurity incident response and to promote good cyber hygiene across the Americas. OAS and FIRST signed an agreement pledging to "jointly organize technical incident response activities focused on the needs and challenges of OAS member states" and to help implement OAS's Comprehensive Inter-American Strategy to Combat Threats to Cyber Security and its Declaration on Strengthening Cyber Security in the Americas, adopted by member states in 2004 and 2012, respectively. |
|
International Telecommunication Union (ITU) and ABI Research |
May 28, 2015 |
Each country profile features information on measures contained in the five key pillars of the Global Cybersecurity Index (GCI), as enshrined in the ITU's Global Cybersecurity Agenda, notably: legal, technical, organizational, capacity building, and cooperation. Information on child online protection measures will be added to each profile. The GCI has been an ongoing project between ITU and ABI Research to map out cybersecurity efforts undertaken at the national level. Each of the six regions (Africa, Americas, Arab States, Asia Pacific, the Commonwealth of Independent States, and Europe) saw regional champions emerge. Good practices from each region and from each of the pillars are highlighted. (528 pages) |
|
|
Hoover Institution Working Group on Foreign Policy and Grand Strategy |
December 12, 2014 |
The cyber threat needs to be managed through a combination of being realistic and honest about our willingness and capacity to guarantee security in this area; accepting multilateral arrangements to protect commerce and critical infrastructure and leaving traditional forms of intelligence and military activities unregulated; and allowing private companies and individuals to use strong encryption or open-source software without built-in vulnerabilities. (6 pages) |
|
|
NATO Legal Gazette |
December 2014 |
The NATO Legal Gazette contains thematically organized articles usually written by military or civilian legal personnel working at NATO or in the governments of NATO and partner nations. Its purpose is to share articles of significance for the large NATO legal community and connect legal professionals of the Alliance. It is not a formal NATO document. (74 pages) |
|
|
ICT4Peace Foundation |
September 3, 2014 |
Civil society does not include the private sector. Nevertheless, natural alliances are emerging between certain of the more tech-oriented civil society organisations (e.g., the Internet Society or the Institute of Electrical and Electronics Engineers (IEEE) and some Tier 1 carriers (i.e., those carriers with a direct connection to the Internet and networks they use to deliver voice and data services), and major transnational vendors and Internet Service Providers (ISPs). (26 pages) |
|
|
Consult, Command, Control, Contract: Adding a Fourth "C" to NATO's Cyber Security |
Centre for International Governance Innovation |
August 6, 2014 |
The authors suggest that NATO should implement a contracting protocol that delineates appropriate classifications for the tasks and personnel required for private cybersecurity contracts. They conclude that establishing an oversight organization and submitting a proposal to the International Law Commission to consider the roles of private security actors would create greater transparency and accountability for contracting. (10 pages) |
|
ICT4Peace Foundation |
May 1, 2014 |
The report is structured around the following three areas: (1) international and regional security; (2) transnational crime and terrorism; and (3) governance, human rights, and development. These areas are interdependent, yet they have traditionally been approached separately through distinct communities of practice and fora. The report is intended to serve as a baseline for future annual reports. It covers January 2011-December 2013 and provides background on earlier events. (50 pages) |
|
|
U.S.-Russia Bilateral Presidential Commission (BPC) |
December 27, 2013 |
The report includes updates from each of the BPC's 21 working groups. (See the "Working Group on the Threats to and in the Use of Information Communications Technologies in the Context of International Service" section on pages 11-12.) A key component of the discussion is the implementation of the bilateral confidence building measures (CBMs) announced by Presidents Obama and Putin in June 2013. (40 pages) |
|
|
World Federation of Exchanges (WFE) |
December 12, 2013 |
The WFE launched the exchange industry's first cybersecurity committee with a mission to aid in the protection of the global capital markets. The working group brings together representation from a number of exchanges and clearinghouses across the globe to collaborate on best practices in global security. |
|
|
United Nations General Assembly, Group of Governmental Experts |
June 24, 2013 |
The report states that UN-member states should abide by international law, particularly the UN Charter, when operating in cyberspace; honor the norm of state responsibility for cyberattacks emanating from their territory; work to develop confidence building measures to reduce the risk of conflict by increasing the predictability of state actions; and engage in capacity building efforts to assist developing countries in building the required skills to protect their networks and citizens. (13 pages) |
|
|
Confidence Building Measures and International Cybersecurity |
ICT4Peace Foundation |
June 21, 2013 |
Confidence-building measures can lay the foundation for agreeing on acceptable norms of behavior for states, and confidence- and trust-building measures can help to avoid miscalculation and escalation. The report is divided into four main sections: (1) Transparency, Compliance, and Verification Measures; (2) Cooperative Measures; (3) Collaboration and Communication Mechanisms; and (4) Stability and Restraint Measures. A final section discusses next steps for diplomatic confidence-building processes. (21 pages) |
|
FACT SHEET: U.S.-Russian Cooperation on Information and Communications Technology Security |
White House |
June 17, 2013 |
The United States and the Russian Federation created a new working group, under the auspices of the Bilateral Presidential Commission, dedicated to assessing emerging ICT threats and proposing concrete joint measures to address them. |
|
Telecommunications Networks: Addressing Potential Security Risks of Foreign-Manufactured Equipment |
Government Accountability Office (GAO) |
May 21, 2013 |
The federal government began efforts to address the security of the supply chain for commercial networks. There are a variety of approaches for addressing the potential risks posed by foreign-manufactured equipment in commercial communications networks, including those taken by foreign governments. Although these approaches are intended to improve supply chain security of communications networks, they may also create the potential for trade barriers, additional costs, and constraints on competition, which the federal government would have to take into account if it chose to pursue such approaches. (52 pages) |
|
Alliance for American Manufacturing |
May 2013 |
Because the supply chain is global, it makes sense for U.S. officials to cooperate with other nations to ward off cyberattacks. Increased international cooperation to secure the integrity of the global IT system is a valuable long-term objective. (355 pages) |
|
|
The Tallinn Manual on the International Law Applicable to Cyber Warfare |
Cambridge University Press/ NATO Cooperative Cyber Defence Center of Excellence |
March 5, 2013 |
The Tallinn Manual identifies the international law applicable to cyber warfare and sets out 95 "black-letter rules" governing such conflicts. An extensive commentary accompanies each rule, which sets forth each rules' basis in treaty and customary law, explains how the group of experts interpreted applicable norms in the cyber context, and outlines any disagreements within the group as to each rules' application. (Note: The manual is not an official NATO publication, but an expression of opinions of a group of independent experts acting solely in their personal capacity.) (302 pages) |
|
Worldwide Threat Assessment of the U.S. Intelligence Community (Testimony) |
James Clapper, Director of National Intelligence |
February 11, 2013 |
Clapper provided an assessment of global threats: U.S. critical infrastructure, eroding U.S. economic and national security, information control and Internet governance, and hacktivists and criminals. (34 pages) |
|
Microsoft Trustworthy Computing |
February 6, 2013 |
Introduces a new methodology for examining how socioeconomic factors in a country or region impact cybersecurity performance. Examines measures such as use of modern technology, mature processes, user education, law enforcement, and public policies related to cyberspace. This methodology can build a model that will help predict the expected cybersecurity performance of a given country or region. (27 pages) |
|
|
United Nations Office on Drugs and Crime |
February 2013 |
The study examined the problem of cybercrime from the perspective of governments, the private sector, academia, and international organizations. The results are presented in eight chapters, covering (1) Internet connectivity and cybercrime; (2) the global cybercrime picture; (3) cybercrime legislation and frameworks; (4) criminalization of cybercrime; (5) law enforcement and cybercrime investigations; (6) electronic evidence and criminal justice; (7) international cooperation in criminal matters involving cybercrime; and (8) cybercrime prevention. (320 pages) |
|
|
Administration Strategy for Mitigating the Theft of U.S. Trade Secrets |
White House |
February 2013 |
The report states, "First, we will increase our diplomatic engagement.... Second, we will support industry-led efforts to develop best practices to protect trade secrets and encourage companies to share with each other best practices that can mitigate the risk of trade secret theft.... Third, DOJ will continue to make the investigation and prosecution of trade secret theft by foreign competitors and foreign governments a top priority.... Fourth, President Obama recently signed two pieces of legislation that will improve enforcement against trade secret theft.... Lastly, we will increase public awareness of the threats and risks to the U.S. economy posed by trade secret theft." (141 pages) |
|
The Challenge of Cyber Power for Central African Countries: Risks and Opportunities |
Naval Postgraduate School |
December 2012 |
According to the report, Central African militaries, which are supposed to be the first line of defense for their governments' institutions, are dramatically behind the times. To address this situation, the governments of Central Africa need to adopt a collaborative cyber strategy based on common investment in secure cyber infrastructures. Such cooperation will help to create a strong cyber environment conducive of the confidence and trust necessary for the emergence of a cyber community of Central African States (C3AS). For Central African militaries, massive training and recruiting will be the first move to begin the process of catching up. (209 pages) |
|
Organization for Economic Co-operation and Development (OECD) |
November 29, 2012 |
The OECD launched a broad consultation of all stakeholders from member and nonmember countries to review its security guidelines. The review takes into account newly emerging risks, technologies, and policy trends in areas such as cloud computing, digital mobility, the Internet of things, and social networking. |
|
|
OECD |
November 16, 2012 |
The report analyzes the latest generation of national cybersecurity strategies in 10 OECD countries and identifies commonalities and differences. (117 pages) |
|
|
Parliamentary Library of Australia |
October 24, 2012 |
In July 2012, the Commonwealth Attorney General's Department released a discussion paper, Equipping Australia against emerging and evolving threats, on the proposed national security reforms. Of the 18 primary proposals and the 41individual reforms that they comprised, the issue that seems to have attracted the most attention is the suggestion that carriage service providers (CSPs) be required to routinely retain certain information associated with every Australian's use of the Internet and phone services for a period of up to two years (i.e., data retention). (32 pages) |
|
|
United States Counter Terrorism Cyber Law and Policy, Enabling or Disabling? |
Triangle Institute for Security Studies |
March 2012 |
The incongruence between national counterterrorism (CT) cyber policy, law, and strategy degrades the abilities of federal CT professionals to interdict transnational terrorists from within cyberspace. Specifically, national CT cyber policies that are not completely sourced in domestic or international law unnecessarily limit the latitude cyber CT professionals need to effectively counter terrorists using organic cyber capabilities. (34 pages) |
|
McAfee |
February 1, 2012 |
Forty-five percent of legislators and cybersecurity experts representing 27 countries think cybersecurity is just as important as border security. The authors surveyed 80 professionals from business, academia, and government to gauge worldwide opinions of cybersecurity. (108 pages) |
|
|
Office of the National Counterintelligence Executive |
October 2011 |
According to the report, espionage and theft through cyberspace are growing threats to the United States' security and economic prosperity, and the world's most persistent perpetrators happen to also be U.S. allies. (31 pages) |
|
|
White House/Office of Management and Budget |
May 16, 2011 |
The strategy marks the first time any Administration has attempted to set forth in one document the U.S. government's vision for cyberspace, including goals for defense, diplomacy, and international development. (30 pages) |
|
|
EastWest Institute |
February 3, 2011 |
According to the report, the authors "led [a group of] cyber and traditional security experts through a point-by-point analysis of the Geneva and Hague Conventions. Ultimately, the group made five immediate recommendations for Russian and U.S.-led joint assessments, each exploring how to apply a key convention principle to cyberspace." (60 pages) |
|
|
United States Faces Challenges in Addressing Global Cybersecurity and Governance |
GAO |
August 2, 2010 |
GAO recommends that the special assistant to the President and cybersecurity coordinator should make recommendations to appropriate agencies and interagency coordination committees regarding any necessary changes to more effectively coordinate and forge a coherent national approach to cyberspace policy. (53 pages) |
|
The Reliability of Global Undersea Communications Cable Infrastructure (The ROGUCCI Report) |
Institute of Electrical and Electronics Engineers/EastWest Institute |
May 26, 2010 |
This study submits 12 major recommendations to the private sector, governments, and other stakeholders—especially the financial sector—for the purpose of improving the reliability, robustness, resilience, and security of the world's undersea communications cable infrastructure. (186 pages) |
Source: Highlights compiled by CRS from the reports.
Notes: Note: Page counts are documents; other cited resources are web pages.
|
Source |
Date |
Notes |
|
|
China's Threat to the Competitiveness and Security of the U.S. Semiconductor Industry |
Stewart and Stewart |
February 17, 2017 |
The U.S. semiconductor industry is experiencing a slowdown in the pace of technological development, and its competitiveness is being threatened by China's targeted interference in the semiconductor market through non-market means. These issues have raised serious concerns at senior levels of the U.S. government in both the Obama and Trump Administrations. The authors elaborate on China's actions and discuss some of the legal mechanisms available to the U.S. government and domestic industry to combat the threats posed by China's policies. (10 pages) |
|
Third U.S.-China High-Level Joint Dialogue on Cybercrime and Related Issues |
DHS |
December 8, 2016 |
The dialogue aims to review the timeliness and quality of responses to requests for information and assistance with respect to cybercrime or other malicious cyber activities, and to enhance pragmatic bilateral cooperation with regard to cybercrime, network protection and other related issues. Both sides endorse the establishment of the dialogue mechanism as beneficial to bilateral communication and enhanced cooperation, and believe that further solidifying, developing, and maintaining the dialogue mechanism and continuing to strengthen bilateral cooperation in cybersecurity is beneficial to mutual interests. |
|
Science, Space, and Technology Committee's Investigation of FDIC's Cybersecurity |
House Science, Space, and Technology Committee (Staff Report) |
July 12, 2016 |
According to congressional investigators, the Chinese government hacked into 12 computers and 10 backroom servers at the FDIC, including the personal computers of the agency's top officials: the FDIC chairman, his chief of staff, and the general counsel. When congressional investigators tried to review the FDIC's cybersecurity policy, the agency hid the hack. (25 pages) |
|
Trends in Chinese Cyber Espionage Campaigns (registration required) |
U.S. State Department - Overseas Security Advisory Council |
June 27, 2016 |
The report assesses the recent FireEye report tracking network compromises by China-based hackers since mid-2014. Multiple studies have contributed to the assessment that China-based network intrusions are still ongoing, only a fraction of which may be detected by researchers. Despite the decline shown in metrics, China remains a serious cyber-threat actor to U.S. firms. (3 pages) |
|
Redline Drawn: China Recalculates Its Use of Cyber Espionage |
FireEye iSight Intelligence |
June 2016 |
Chinese hacking of U.S. government and corporate networks has sharply declined since 2014. FireEye observed only a handful of network intrusions attributed to Chinese groups in April of this year, down from more than 60 in February of 2013. The shift is likely the result of a confluence of factors, including actions taken by the U.S. government— but it is not solely the result of a September anti-hacking pledge struck by President Obama and Chinese President Xi Jinping. (16 pages) |
|
Department of Defense |
April 26, 2016 |
DOD's annual report to Congress on China's capabilities asserts that China's military conducted cyber probes and intrusions against U.S. computer networks to support intelligence collection and electronic warfare…. Highlighting what the Pentagon describes as China's focus on improving cyber capabilities to counter a "stronger foe," the report concludes that information gleaned by hackers "could inform Chinese military planners' work to build a picture of U.S. defense networks, logistics, and related military capabilities that could be exploited during a crisis." (156 pages) |
|
|
RAND Corporation |
March 2016 |
The study looks at two basic questions: Can the United States and China achieve meaningful outcomes through formal negotiations over norms and rules in cyberspace? And, if so, what areas are most likely to yield agreement and what might be exchanged for what? The analysis should be of interest to two communities: those concerned with U.S. relations with China and those concerned with developing norms of conduct in cyberspace, notably those that enhance security and freedom. (121 pages) |
|
|
(Chapter from Research Handbook on International Law and Cyberspace) |
December 31, 2015 |
ASEAN. The ARF and APEC have sought to prevent, regulate, and mitigate the effects of malicious use of the Internet for criminal and terrorist purposes, largely through enhancing information sharing between national CERTs and domestic law enforcement agencies, and by setting regional standards for national cyber-related laws and policy. However, these measures only go some way to addressing regional cyber security concerns, and their effectiveness is threatened by new challenges, in particular the emerging preeminence of sovereignty considerations in cyber policymaking. (Note: Cyber Security in the Asia-Pacific chapter starts on p. 10.) (18 pages) |
|
|
U.S.-China Economic Commission |
November 17, 2015 |
Reportedly, China causes increasing harm to the U.S. economy and security through two deliberate policies targeting the U.S.-coordinated, government-backed theft of information from a wide variety of U.S.-based commercial enterprises and widespread restrictions on content, standards, and commercial opportunities for U.S. businesses. Hackers working for the Chinese government—or with the government's support and encouragement—have infiltrated the computer networks of U.S. government agencies, contractors, and private companies, and stolen personal information and trade secrets. (See Chapter 1, Section 4: Commercial Cyber Espionage and Barriers to Digital Trade in China.) (631 pages) |
|
|
The U.S.-China Military Scorecard: Forces, Geography, and the Evolving Balance of Power, 1996-2017 |
RAND Corporation |
September 14, 2015 |
The report, which rates the capabilities of U.S. and Chinese militaries over the course of two situations, a conflict over Taiwan and one over the Spratly Islands, dedicates an entire chapter to the respective cyber capabilities of both sides. As it maps out the potential conflicts, and in turn the potential ways each country could attack the other's network, it becomes apparent why a first agreement between President Barack Obama and President Xi might focus on the rules of the road for attacks on core infrastructure instead of on better publicized Chinese attacks aimed at gaining advantages and intellectual property for companies. See Chapter Eleven: Scorecard 9: U.S. and Chinese Cyberwarfare Capabilities, pp 259-284. (430 pages) |
|
Asian Technology Information Program |
June 5, 2015 |
This report reviews major government research projects and introduces the leading research groups in the field of cyber security in China. It provides an overview of the recent progress made in the areas of cryptography, web security, intrusion detection and attack analysis, cloud security, mobile security, and security of wireless sensor networks in China. (27 pages) |
|
|
FireEye |
April 2015 |
A Chinese government hacking team has used the same basic set of tools to spy on Southeast Asian and Indian dignitaries for a decade, demonstrating the low level of cyber defenses protecting government information across broad swaths of the world. Because this group, APT30, has been able to use the same basic set of malware tools against government networks since at least 2005 suggests its targets remained unaware for more than a decade they were being spied on, or were incapable of countering the threat. (70 pages) |
|
|
Inquiry into Cyber Intrusions Affecting U.S. Transportation Command Contractors |
Senate Armed Services Committee |
September 17, 2014 |
Hackers associated with the Chinese government successfully penetrated the computer systems of Transportation Command (TRANSCOM) contractors 20 times in the course of a single year. Chinese hackers tried to get into the systems 50 times. The congressional committee found that only two of the intrusions were detected, and that officials were unaware due in large part to unclear requirements and methods for contractors to report breaches and for government agencies to share information. (52 pages) |
|
Mapping the Cyber Dragon: China's Conduct of Terror in the Cyber World |
Defense and Diplomacy Journal |
July-September 2014 |
"[A]mong all the major players of the world, one country which participates in, and practices, all the above mentioned forms of cyber conflict, not only in the military sector but also in the civilian sector, is the People's Republic of China (PRC). Therefore, for a broader perspective of global cyber security, it is imperative to understand the various types of modus operandi and other methodologies of different groups, in both military and civilian sectors involved in cyber conflicts, from China who are creating potential terror in the cyber domain." (13 pages) |
|
Centre for International Governance Innovation |
June 20, 2014 |
The paper explores the recent unsealing of a 31-count indictment against five Chinese government officials and a significant cyber breach perpetrated by Chinese actors against Western oil, energy, and petrochemical companies. Increased cooperation among governments is necessary but unlikely to occur as long as the discourse surrounding cybercrime remains so heavily politicized and securitized. (23 pages) |
|
|
U.S.-China Economic and Security Review Commission |
May 7, 2014 |
Despite major differences on cyberspace policy between the United States and China, a development at the United Nations illustrates basic areas of agreement. The United States and China were among 15 countries affirming the applicability of international law to cyberspace in a 2013 UN report. The same group will gather in 2014 to address some of the more challenging and divisive concepts regarding state responsibility and use of force in cyberspace. (11 pages) |
|
|
Australian Strategic Policy Institute |
April 14, 2014 |
The institute assesses regional digital maturity across government, business, society, and the military. Australia comes out ahead of China, Japan, and South Korea regarding overall digital strength in the region and ranks third behind the United States and China in cyber warfare. The Asia-Pacific region is increasingly the focus of cyberattacks, including criminal and state-sponsored hacking and espionage. (76 pages) |
|
|
U.S.-China Economic Commission |
October 20, 2013 |
In 2013, the commission continued to closely examine China's cyber capabilities. Strong evidence emerged that the Chinese government is directing and executing a large-scale cyber-espionage campaign against the United States, including the U.S. government and private companies. However, public exposure of this cyber espionage apparently has not changed China's attitude about the use of cyber espionage to steal intellectual property and proprietary information. (See Chapter 2, Section 2: "China's Cyber Activities.") (465 pages) |
|
|
Department of Defense (DOD) |
May 6, 2013 |
China is using its computer network exploitation capability to support intelligence collection against the U.S. diplomatic, economic, and defense industrial base sectors that support U.S. national defense programs. The information targeted could potentially be used to benefit China's defense industry; high-technology industries; policymaker interest in U.S. leadership thinking on key China issues; and military planners building a picture of U.S. defense networks, logistics, and military- related capabilities that could be exploited during a crisis. (92 pages) |
|
|
Center for Strategic and International Studies |
March 11, 2013 |
Evidence that China and Chinese hackers are responsible for the many incidents attributed to them. CSIS did a review of open source literature identifying China as the source of hacking and cyber espionage incidents. The paper provides an initial list of other major cyber incidents attributed to China by officials in Australia, Canada, France, Germany, India, Japan, the UK, and other countries not discussed. The list is divided into two parts. The first section lists reports that identify specific individuals and entities; the second section refers to incidents ascribed generally to China. These reports identify six groups and 14 individuals, all but one connected to the Chinese government and most with connections to the People's Liberation Army (PLA), as responsible for cyber espionage. (15 pages) |
|
|
APT1 [Advanced Persistent Threat 1]: Exposing One of China's Cyber Espionage Units |
Mandiant |
February 19, 2013 |
Mandiant conducted hundreds of investigations on computer security breaches around the world. The details analyzed during these investigations signal that the groups conducting these breaches are based primarily in China and that the Chinese government is aware of them. (76 pages) |
|
Mandiant |
February 19, 2013 |
Five-minute video of APT1 attacker sessions and intrusion activities. (Click on "APT1 Video" at top right of screen.) |
|
|
University of California Institute on Global Conflict and Cooperation |
January 25, 2013 |
The collection of 15 policy briefs explores how China has made such impressive military technological progress over the past few years, what is in store, and what are the international security implications. The briefs are summaries of a series of longer research papers presented at the third annual Chinese defense economy conference held by the Study of Innovation and Technology in China in July 2012. (87 pages) |
|
|
U.S.-China Economic and Security Review Commission |
November 2012 |
The report responds to the mandate for the commission "to monitor, investigate, and report to Congress on the national security implications of the bilateral trade and economic relationship between the United States and the People's Republic of China." See "China's Cyber Activities," Chapter 2, Section 2, pp. 147-169. (509 pages) |
|
|
Lawrence Livermore National Laboratory |
October 17, 2012 |
The report analyzes how the Chinese leadership views information technology research and development (R&D) as well as the role cyber R&D plays in China's various strategic development plans. It explores the organizational structure of China's cyber R&D base and concludes with a projection of how China might field new cyber capabilities for intelligence platforms, advanced weapons systems, and systems designed to support asymmetric warfare operations. (17 pages) |
|
|
House Permanent Select Committee on Intelligence |
October 8, 2012 |
The committee initiated this investigation in November 2011 to inquire into the counterintelligence and security threat posed by Chinese telecommunications companies doing business in the United States. (60 pages) |
|
|
China Institute of Contemporary International Relations (CICIR) and the Center for Strategic and International Studies (CSIS) |
June 2012 |
Since 2009, CSIS and CICIR have held six formal meetings on cybersecurity called "Sino-U.S. Cybersecurity Dialogues." A broad range of U.S. and Chinese officials and scholars responsible for cybersecurity issues attended the meetings. The goals of the discussions were to reduce misperceptions and to increase both transparency among both countries' authorities and understanding regarding how each country approaches cybersecurity. The meetings also sought to identify areas of potential cooperation. |
|
Title |
Source |
Date |
Notes |
|
Cabinet Office, United Kingdom |
Continuously Updated |
A National Cyber Security Programme (NCSP) backed by £650 million of funding to 2015 was put in place to support the strategy. An additional £210 million in 2015 to 2016 increased that investment. This funding builds on existing projects and supports new investments, enabling the UK to retain its emerging reputation as a leader in the field of cyber security. |
|
|
Europol |
Continuously Updated |
The European Commission decided to establish a European Cybercrime Centre (EC3) at Europol. The center will be the focal point in the EU's fight against cybercrime, contributing to faster reactions in the event of online crimes. It will support EU member states and institutions in building operational and analytical capacity for investigations and cooperation with international partners. |
|
|
Massachusetts Institute of Technology (MIT) and Harvard University |
Continuously Updated |
ECIR is a collaborative and interdisciplinary research program that seeks to create a field of international cyber relations for the 21st century. It is designed to identify, measure, model, interpret, and analyze emergent issues, challenges, and responses. The ECIR research plan integrates social sciences, legal studies, computer science, and policy analysis. |
|
|
State of the Union 2017 - Cybersecurity: Commission scales up EU's response to cyber-attacks |
European Commission |
September 19, 2017 |
The European Commission unveils proposals for measures to boost cybersecurity in the EU. The package includes proposal for an EU Cybersecurity Agency to assist member states in dealing with cyber-attacks and a European certification scheme to ensure that products and services in the digital world are safe to use. |
|
European Council |
June 10, 2017 |
A joint framework, dubbed the "cyber diplomacy toolbox," will guide how member countries should uniformly respond to malicious cyber-activity, which includes steps to cooperatively impose economic sanctions, travel bans, asset freezes and blanket bans against responsible parties. The framework is expected to encourage cooperation, facilitate mitigation of immediate and long-term threats, and influence the behaviour of potential aggressors in the long term. |
|
|
European Commission |
June 7, 2017 |
The European Commission wants a larger role in addressing cyberattacks including everything from "softer" diplomatic tools to a common cyber policy. The strategic paper does not specify upcoming initiatives, but it shows the commission's eagerness to take up a greater role in coordinating responses to cyberattacks and supporting EU countries with funding and expertise to increase their cyber defenses. The announcement included a communication of the EU's plan to pour €5.5 billion in the security and defense industry starting in 2020, including funding cyber research and cyber-defense projects. (24 pages) |
|
|
DHS S&T Cyber Security Division 5-Year International Collaboration Broad Agency Announcement (BAA) |
DHS |
February 6, 2017 |
DHS is partnering with a dozen foreign governments and the EU to enhance global cybersecurity. The governments, including the U.K., Germany, and Israel, will help DHS evaluate white papers and proposals from contractor teams. They will work together on issues including network security and the human aspects of cybersecurity. The collaboration is part of a Broad Agency Announcement (BAA), against which specific requests will be issued. (1 page) |
|
EU-NATO cooperation: Council adopt conclusions to implement Joint Declaration |
EU, European Commission, NATO |
December 6, 2016 |
The agreement will allow NATO and the EU's "fusion cells," groups of experts who are supposed to detect and help rebuff hybrid or cyberattacks, to synchronize their work and teams of on-call experts will be able to coordinate their planned responses. |
|
G-7 Fundamental Elements of Cybersecurity for The Financial Sector |
Treasury Department |
October 11, 2016 |
The finance ministers and central bank governors of the G-7 countries released the fundamental elements, which provide a concise set of principles on best practices in cybersecurity for public and private entities in the financial sector. Public authorities, including finance ministries, central banks, and regulators, can also use the elements to inform their efforts to both protect the financial sector from cyberattacks and to effectively respond to and recover from incidents when they occur. (3 pages) |
|
Directive on security of network and information systems (NIS Directive) |
European Parliament |
July 6, 2016 |
The European Parliament has approved cybersecurity legislation that "establish[es] a common level of network and information security and enhance[s] cooperation among EU member states, which will help prevent cyberattacks on Europe's important interconnected infrastructures." The new rules affect a broad spectrum of business sectors, including finance, energy, transportation, and technology. (30 pages) |
|
G7 Leaders |
May 26, 2016 |
Cybersecurity: "We strongly support an accessible, open, interoperable, reliable and secure cyberspace as one essential foundation for economic growth and prosperity. We promote digital adoption for improved quality of life, by bridging digital divides, enabling innovative business models and affordable universal and high quality access to Information and Communication Technologies (ICTs) as well as enhancing digital literacy. We endorse the G7 Principles and Actions on Cyber and commit to take decisive actions." (32 pages) |
|
|
Joint Declaration by G7 ICT Ministers (Action Plan on Implementing the Charter) |
G7 ICT Ministers |
April 30, 2016 |
Promoting cybersecurity. "(19.) We reaffirm our support for policies that improve cybersecurity as essential for the development of a trustworthy digitally connected world. As part of our efforts to address cybersecurity risks, threats and vulnerabilities, including those to ICT and ICT-enabled critical infrastructures, we endeavor to strengthen international collaboration, capacity building and public-private partnerships. We also support risk management based approaches to cybersecurity including research on methods to analyze threats and continue to work with all stakeholders on such efforts also through constructive discussions in international fora. (20.) To promote cybersecurity awareness, all stakeholders in the digitally connected world must take active responsibility. To this end, we recognize the importance of developing human capital to reduce threats to cybersecurity. That could be done through training, education and increased awareness to enable citizens, enterprises including critical infrastructure operators and governments to meet their objectives in an efficient manner." |
|
European Union |
April 21, 2016 |
European Union member states issued a directive that requires companies that suffer serious cyberattacks to notify authorities in the EU country in which they are based. The EU Network and Information Security (NIS) Directive would apply the notification obligation to companies in two categories: those considered to be in "critical sectors," and digital service providers—that is, online marketplaces, search engines, and cloud service providers. (77 pages) |
|
|
Operationalizing Cybersecurity Due Diligence: A Transatlantic Comparative Case Study |
South Carolina Law Review |
January 12, 2016 |
Although much work has been done on applying the law of warfare to cyberattacks, far less attention has been paid to defining a law of cyber peace applicable below the armed attack threshold. Among the most important unanswered questions is what exactly nations' due diligence obligations are to one another and to the private sector, as well as how these obligations should be translated into policy. The article analyzes how both the United States and the European Union are operationalizing the concept of cybersecurity due diligence and investigates a menu of options presented to the European Parliament in November 2015 to further refine and apply this concept. (28 pages) |
|
Cybersecurity in the European Union and Beyond: Exploring the Threats and Policy Responses |
RAND Corp. |
November 18, 2015 |
The report finds that the existing cybersecurity measures in the EU are fragmented, largely due to gaps in operational capabilities as well as strategic priorities of member states regarding cybersecurity. Whether the EU response to cybersecurity should adopt a formal and mandatory character is also debated. It suggests five policy options that the EP should consider in order to improve the EU's overall approach to cybersecurity. (153 pages) |
|
FACT SHEET: The 2015 G-7 Summit at Schloss Elmau, Germany |
White House |
June 8, 2015 |
Member nations of the Group of Seven (G7) announced a new cooperative effort to guard the energy sector from hackers, cyber-spies, and other online attackers. The seven industrialized democracies will exchange information on methodologies for identifying cyber threats and vulnerabilities within the energy sector, sharing best practices and making "investment in cybersecurity capabilities and capacity building." See "Launching New Work on Energy Sector Cybersecurity" on the Fact Sheet. |
|
European Commission |
April 28, 2015 |
The agenda pledges EU nations to review obstacles to cross-border cybercrime investigations, especially related to jurisdiction and evidence sharing. It also pledges EU institutions to follow through on commitments in the 28-nation bloc's 2013 Cybersecurity Strategy, especially by adopting a proposal for a binding EU-wide directive on network and information security. (21 pages) |
|
|
EU Cybersecurity Dashboard: A Path to a Secure European Cyberspace |
Business Software Alliance (BSA) |
March 4, 2015 |
The report analyzes the current status of all 28 member states against pre-determined criteria for cybersecurity best practices. (20 pages) |
|
Joint Committee Report on Risks and Vulnerabilities in the EU Financial System |
European Banking Authority |
March 2015 |
Cybercrime and computer failure are areas of great concern and should be included in financial firms' risk management procedures, according to a report by EU bank, insurance, and market regulators. Financial institutions should be encouraged to integrate IT security and resilience into their proprietary risk models. System security and IT strategy carry their own risks and complexities that can bleed across into more traditional forms of risk. (15 pages) |
|
White House |
January 16, 2015 |
The UK's Government Communications Headquarters (GCHQ) and Security Service (MI5) are working with their U.S. partners—the National Security Agency and the Federal Bureau of Investigation—to further strengthen U.S.-UK collaboration on cybersecurity by establishing a joint cyber cell, with an operating presence in each country. The cell, which will allow staff from each agency to be co-located, will focus on specific cyber defense topics and enable cyber threat information and data to be shared at pace and at greater scale. |
|
|
Threat Landscape and Good Practice Guide for Internet Infrastructure |
European Union Agency for Network and Information Security (ENISA) |
January 2015 |
The report details the assets composing an Internet infrastructure and classifies the threats applicable, highlighting "important specific threats" that disrupt connectivity. These include routing threats, DNS threats, and (Distributed) Denial of Service. Each threat is linked with a list of assets exposed. Overall, there is an increase in the occurrence of these threats. (64 pages) |
|
U.S. State Department and European Union (EU) |
December 5, 2014 |
U.S. and EU officials said at an inaugural cyber dialogue meeting in Belgium that they had reaffirmed numerous shared principles, including a commitment to a multistakeholder Internet governance model and international cooperation on cybersecurity. In a joint preliminary statement, the officials also reiterated their support for a 2013 United Nations Governmental Group of Experts consensus that international law applies in cyberspace just as it does on land or at sea and for the 2012 Budapest Convention, a treaty focused on international cooperation to fight cybercrime. |
|
|
European Parliamentary Research Service |
October 31, 2014 |
A number of EU member states are among those developing their capabilities, and the EU's own Defence Agency is also working on projects to augment cyber defenses in the union. The report includes summaries of EU member nations and NATO's national cyber-defense policies. (10 pages) |
|
|
ISACA |
August 26, 2014 |
ISACA has released the European Cybersecurity Implementation Series primarily to provide practical implementation guidance that is aligned with European requirements and good practice. |
|
|
Oxford Economics |
July 2014 |
The UK Centre for the Protection of National Infrastructure asked Oxford Economics to carry out a study of the impact of state-sponsored cyberattacks on UK firms. The study consists of the elaboration of an economic framework for cyberattacks, a survey of UK firms on cyberattacks, an event study on the impact of cyberattacks on stock-market valuations, and a series of case studies illustrating the experience of several UK firms with cyberattacks. (79 pages) |
|
|
Centre for the Protection of National Infrastructure (UK) |
July 2014 |
The iDATA program consists of a number of projects aimed at addressing threats posed by nation-states and state-sponsored actors. iDATA has resulted in several outputs for the cybersecurity community. The document provides a description of the iDATA program and a summary of the reports. (8 pages) |
|
|
White House |
March 26, 2014 |
The new high-level U.S.-EU Cyber Dialogue announced at the 2014 U.S.-EU Summit will formalize and broaden cooperation between the United States and the EU on cyber issues, building on shared commitments and achievements in key areas. |
|
|
European Parliament |
March 13, 2014 |
The directive would require companies operating critical infrastructure to maintain a specified minimum level of cybersecurity preparedness and report to national authorities about cyberattacks with a significant impact on the security of their networks. |
|
|
UK Department for Business Innovation and Skills and the Centre for the Protection of National Infrastructure |
February 4, 2014 |
The joint communiqué outlines steps UK regulators and government departments have agreed to undertake to improve the country's cyber systems and network defenses. Steps to combat cyberattacks include (1) assessing the state of cybersecurity across each sector and working with industry to address vulnerabilities; (2) working with industry to increase information flows on threat vulnerabilities and mitigation strategies; and (3) encouraging companies to join information-sharing initiatives. (20 pages) |
|
|
Council of Europe |
December 2013 |
The handbook is a first point of reference on both EU law and the European Convention on Human Rights (ECHR) on data protection, and it explains how the field of data protection is regulated under EU law and the ECHR as well as under the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108) and other council instruments. Each chapter presents a single table of the applicable legal provisions, including important selected case law under the two separate European legal systems. (214 pages) |
|
|
Directive of the European Parliament and of the Council on Attacks Against Information Systems |
European Parliament Civil Liberties Committee |
August 12, 2013 |
The objectives of this directive are (1) to approximate the criminal law of EU member states in the area of attacks against information systems by establishing minimum rules concerning the definition of criminal offenses and the relevant sanctions and (2) to improve cooperation between competent authorities, including the police and other specialized law-enforcement services of member states, as well as the competent specialized-EU agencies and bodies, such as Eurojust, Europol and its European Cyber Crime Centre, and the European Network and Information Security Agency. (7 pages) |
|
The Global Cyber Game: Achieving Strategic Resilience in the Global Knowledge Society |
Defence Academy of the United Kingdom |
May 8, 2013 |
Provides a systematic way of thinking about cyberpower and its use by a range of global players. The global cyberpower contest is framed as a global cyber game, played out on a "Cyber Gameboard"—a framework that can be used for strategic and tactical thinking about cyber strategy. (127 pages) |
|
Australia Department of Defence |
May 3, 2013 |
The paper states that "The Australian Cyber Security Centre will bring together security capabilities from the Defence Signals Directorate, Defence Intelligence Organisation, Australian Security Intelligence Organisation, the Attorney-General's Department's Computer Emergency Response Team Australia, Australian Federal Police, and the Australian Crime Commission." (148 pages) |
|
|
Cabinet Office, United Kingdom |
March 27, 2013 |
CISP introduces a secure virtual "collaboration environment" in which government and industry partners can exchange information on threats and vulnerabilities in real time. CISP will be complemented by a "Fusion Cell," which will be supported on the government side by the Security Service, Government Communications Headquarters and the National Crime Agency, and industry analysts from a variety of sectors. |
|
|
Defence and Cyber-Security, vol. 1 - Report, together with formal minutes, oral and written evidence Defence and Cyber-Security, vol. 2 - Additional Written Evidence |
House of Commons Defence Committee (UK) |
December 18, 2012 |
"Given the inevitable inadequacy of the measures available to protect against a constantly changing and evolving threat ... it is not enough for the Armed Forces to do their best to prevent an effective attack. In its response to this report the Government should set out details of the contingency plans it has in place should such an attack occur. If it has none, it should say so—and urgently create some." (pages: 99 (vol. 1) and 37 (vol. 2)) |
|
Five Years after Estonia's Cyber Attacks: Lessons Learned for NATO? |
North Atlantic Treaty Organization (NATO) |
May 2012 |
In April 2007, a series of cyberattacks targeted Estonian information systems and telecommunication networks. Lasting 22 days, the attacks were directed at a range of servers (i.e., web, email, domain name systems) and routers. The 2007 attacks did not damage much of the Estonian IT infrastructure. However, the attacks were a message to NATO, offering a practical demonstration that cyberattacks could now cripple an entire nation dependent on IT networks. (8 pages) |
|
Organisation for Economic Co-operation and Development (OECD) |
December 8, 2009 |
This is a private-industry initiative that aims to ensure that customers whose personal computers have become part of a botnet without them being aware of it are informed by their ISPs about this situation and given competent support in removing the malware. (4 pages) |
Source: Highlights compiled by CRS from the reports.
Note: Page counts are documents; other cited resources are web pages.