Cybersecurity: State, Local, and International Authoritative Reports and Resources

Much is written by and about state, local, and international government efforts to address cybersecurity policy issues. This report and the CRS reports listed below link to authoritative sources that address many of the most prominent issues. It includes resources and studies from government agencies (federal, state, local, and international), think tanks, academic institutions, news organizations, and other sources. These sources are listed in reverse chronological order, with an emphasis on materials published in the past several years.

This report is intended to serve as a starting point for congressional staff assigned to cover cybersecurity policy issues. It includes annotated descriptions of reports, websites, or external resources related to

Table 1, state, local, and tribal governments, including selected state status reports, surveys, and guidance documents

Table 2, international, including international laws, legislation, and agreements, supply chain vulnerabilities, and intellectual property theft

Table 3, international—China, including espionage, cybercrime, and national security issues

Table 4, international—Europe, European Union, and United Kingdom

The following CRS reports comprise a series that compiles authoritative reports and resources on these additional cybersecurity topics:

CRS Report R44405, Cybersecurity: Overview Reports and Links to Government, News, and Related Resources, by Rita Tehan

CRS Report R44406, Cybersecurity: Education, Training, and R&D Authoritative Reports and Resources, by Rita Tehan

CRS Report R44408, Cybersecurity: Cybercrime and National Security Authoritative Reports and Resources, by Rita Tehan

CRS Report R44410, Cybersecurity: Critical Infrastructure Authoritative Reports and Resources, by Rita Tehan

CRS Report R43317, Cybersecurity: Legislation, Hearings, and Executive Branch Documents, by Rita Tehan

CRS Report R43310, Cybersecurity: Data, Statistics, and Glossaries, by Rita Tehan

Cybersecurity: State, Local, and International Authoritative Reports and Resources

November 21, 2017 (R44417)
Jump to Main Text of Report


Much is written by and about state, local, and international government efforts to address cybersecurity policy issues. This report and the CRS reports listed below link to authoritative sources that address many of the most prominent issues. It includes resources and studies from government agencies (federal, state, local, and international), think tanks, academic institutions, news organizations, and other sources. These sources are listed in reverse chronological order, with an emphasis on materials published in the past several years.

This report is intended to serve as a starting point for congressional staff assigned to cover cybersecurity policy issues. It includes annotated descriptions of reports, websites, or external resources related to

  • Table 1, state, local, and tribal governments, including selected state status reports, surveys, and guidance documents
  • Table 2, international, including international laws, legislation, and agreements, supply chain vulnerabilities, and intellectual property theft
  • Table 3, international—China, including espionage, cybercrime, and national security issues
  • Table 4, international—Europe, European Union, and United Kingdom

The following CRS reports comprise a series that compiles authoritative reports and resources on these additional cybersecurity topics:

Cybersecurity: State, Local, and International Authoritative Reports and Resources


Much is written by and about state, local, and international government efforts to address cybersecurity policy issues. This report links to authoritative sources that address many of the most prominent issues. It includes resources and studies from government agencies (federal, state, local, and international), think tanks, academic institutions, news organizations, and other sources. These sources are listed in reverse chronological order, with an emphasis on materials published in the past several years.

This report is intended to serve as a starting point for congressional staff assigned to cover cybersecurity policy issues. It includes annotated descriptions of reports, websites, or external resources related to:

  • Table 1, state, local, and tribal governments, including selected state status reports, surveys, and guidance documents
  • Table 2, international, including laws, legislation, and agreements; supply chain vulnerabilities; and Russia and intellectual property theft
  • Table 3, international—China, including espionage, cybercrime, and national security issues
  • Table 4, International—Europe, European Union, and United Kingdom

Table 1. State, Local, and Tribal Governments

(including selected state status reports, surveys, and guidance documents)





State Cybersecurity Legislation

National Conference of State Legislatures

Continuously Updated

At least 41 states have introduced more than 240 bills or resolutions related to cybersecurity.

Data Breach Notification Archive

Massachusetts Consumer Affairs and Business Regulation

Continuously Updated

The state of Massachusetts made public an online archive of data breach notifications affecting Massachusetts residents from 2007 through 2016. The state's Data Breach Security Law, in effect since October 31, 2007, requires businesses and others that own or license personal information of state residents to notify affected residents, the Office of Consumer Affairs and Business Regulation and the office of the attorney general when they know or have reason to know that the personal information of a resident was acquired or used by an unauthorized person, or used for an unauthorized purpose.

Michigan Cyber Range

Merit Network

Continuously Updated

Enables individuals and organizations to develop detection and reaction skills through simulations and exercises. This is a partnership between the state of Michigan, Merit Network, federal and local governments, colleges and universities, and the private sector.

Michigan Cyber Civilian Corps (MiC3)

State of Michigan

Continuously Updated

MiC3 is a group of trained cybersecurity experts who volunteer to provide expert assistance to enhance the state's ability to rapidly resolve cyber incidents when activated under a governor declared state of emergency. The group includes volunteers from government, education, and business sectors.

NASCIO State Profiles

National Association of State Chief Information Officers (NASCIO)

Continuously Updated

Links to CIO contact information, professional biographies, state governments, and state statistics.

Getting Started for State, Local, Tribal, and Territorial (SLTT) Governments

United States Computer Emergency Readiness Team (US-CERT)

Continuously Updated

A list of resources available to state, local, tribal, and territorial governments that have been aligned to the five Cybersecurity Framework function areas. Some resources and programs align to more than one function area.

Worried About Hackers, States Turn to Cyber Insurance

Pew Charitable Trusts

November 10, 2017

The number of U.S. states that have purchased cyber insurance has grown from 10 in 2015 to 19 in 2016, according to information gathered from state CIOs. The policies usually cover costs associated with investigations and data restoration, as well as customer notification, legal and public relations services, and credit monitoring.

Governors Want Cohesive Federal Cyber Regulations

National Governors Association

November 6, 2017

The U.S. National Governors Association (NGA) and the National Association of State Chief Information Officers (NASCIO) have asked the Office of Management and Budget's (OMB's) Office of Regulatory Affairs to standardize federal audit processes and make cyber security requirements consistent across federal agencies. NGA and NASCIO say that complying with the various requirements unnecessarily consumes states' resources. (2 pages)

2017 U.S. State and Federal Government Cybersecurity Research Report


August 24, 2017

The report analyzed and scored the current security posture of 552 small, medium and large U.S. government organizations with more than 100 public-facing IP addresses, to determine the state of government cybersecurity programs today. (24 pages)

Connecticut Cybersecurity Resource Page

State of Connecticut

July 10, 2017

Governor Malloy announced a new cyber security strategy, a seven-principle approach to safety on the web. The strategy's principles are leadership, literacy, preparation, response, recovery, communication, and verification.

Cybersecurity 2016 Survey

International City/County Management Association and Univ. of Maryland

April 19, 2017

A survey of local government chief information officers finds that insufficient funding for cybersecurity is the biggest obstacle in achieving high levels of cyber safety. Inadequate budgets are the largest obstacle for local government chief information officers in obtaining the highest level of cybersecurity for their organization, according to a survey. (12 pages)

26 States Have Adopted Ethical Duty of Technology Competence

Law Sites

December 28, 2016

26 states now require lawyers to stay abreast of changes in legal technology.

State Governments at Risk: Time to Move Forward: 2016

Deloitte & Touche and National Association of State CIOs

October 2016

Each year, the National Association of State Chief Information Officers (NASCIO) conducts a survey of state chief information officers (CIOs) to identify and prioritize the top policy and technology issues facing state government. State CIOs ranked cybersecurity as their top priority in 2014, 2015, and 2016. Considering that it seems that cybersecurity breaches in both the public and private sector are consistently splashed across the news, this is understandable. In the 2016 Deloitte-NASCIO Cybersecurity Study, we asked state chief information security officers (CISOs) about the status of cybersecurity in their states, as well as their perspectives and insights. We have compiled and highlighted those findings here. Importantly, we have found that the message that 'cybersecurity is everyone's responsibility' is seeing some traction. (32 pages)

A State Cyber Hub Operations Framework

Institute for Defense Analyses

June 2016

While States are pursuing the resolution of cyber issues across many fronts, a significant gap remains between the ability to gather and share information and intelligence and the mitigation of breaches that have already occurred. This document is intended to provide a place to start for State leaders who envision an ability to operationalize intelligence and information in a way that can stay ahead of the curve when it comes to cyberattacks. (74 pages)

Connecticut Public Utilities Cybersecurity Action Plan

Connecticut Public Utilities Regulatory Authority

April 6, 2016

The report offers new solutions for enhanced cybersecurity with the electricity, natural gas, and water sectors. The report and action plan are a follow-up to a 2014 PURA report, which presented the state with a roadmap to support cybersecurity defenses. (27 pages)

California Data Breach Report 2012-2015

California Attorney General

February 2016

The report provides an analysis of the data breaches reported to the California attorney general from 2012 to 2015. In nearly all cases, the breaches exploited vulnerabilities for which fixes had been available for more than a year. California state law states, "A business that owns, licenses, or maintains personal information about a California resident shall implement and maintain reasonable security procedures and practices appropriate to the nature if the information." The report states that organizations that do not implement the Center for Internet Security's (CIS) 20 Critical Security Controls would be found to demonstrate "a lack or reasonable security." (76 pages)

California Executive Order B-34-15

State of California

August 31, 2015

The governor issued an executive order that created the California Cybersecurity Integration Center (Cal-CSIC). "The Integration Center's primary mission will be to reduce the likelihood and severity of cyber incidents that could damage California's economy, its critical infrastructure, or public and private sector computer networks in our state," the order said. Cal-CSIC will work with the existing California Threat Assessment System and the U.S. Department of Homeland Security (DHS) to improve information sharing and communication with local, state, and federal agencies.

State perspectives on data breach notification legislation

National Association of Attorneys General

July 7, 2015

In a letter to House and Senate leaders, state attorneys general are urging Congress not to pass federal data breach legislation that preempts state laws. In the letter, the 47 state and territorial attorneys general urge that any legislation preserve states' abilities to enforce their own data security laws and pass requirements stricter than federal standards.

Unmanned Aerial Systems, Governance and State CIOs: on the Radar


May 27, 2015

State IT officials will be saddled with the consequences if drones—and the data they collect—are not digitally secure. The brief urges state CIOs to make cybersecurity a priority as they consider what drone policies to recommend to state leaders and whether to advocate for an authoritative or advisory role for the CIO's office on state drone policy. (8 pages)

Rhode Island Cybersecurity Commission

State of Rhode Island

May 7, 2015

The governor of Rhode Island signed an executive order establishing a new cybersecurity commission to create an action plan for protecting the state's vital infrastructure and recommend ways state government can promote the growth of a skilled cybersecurity workforce and business sector. The commission will consist of state-agencies' representatives and other public-sector entities; research institutions; and the private sector in the defense, financial services, IT, and energy sectors. (3 pages)

[Virginia] Governor McAuliffe Announces State Action to Protect Against Cybersecurity Threats

Virginia Governor's Office

April 20, 2015

Governor Terry McAuliffe announced that the Commonwealth of Virginia is establishing the nation's first state-level Information Sharing and Analysis Organization (ISAO). Governor McAuliffe launched the Virginia Cyber Security Commission and "Cyber Virginia" by Executive Order no. 8 on February 25, 2014.

How State Governments Are Addressing Cybersecurity

Brookings Institution

March 5, 2015

All states, except Alaska, publish an IT strategic plan, and Brookings did a content analysis of these plans to assess each state's cybersecurity positioning. "Our purpose in conducting this analysis was to determine how well states were conducting this 'due care.' As expected, our findings were mixed. We were able to identify two states that had strong efforts and performed better than their peers. We consider Idaho and Mississippi to be truly outstanding in their focus on cybersecurity."

NASCIO 2015 Federal Advocacy Priorities


January 22, 2015

NASCIO states that cybersecurity is its top priority for the federal government to address this year—including through coordination with states on combating cyberthreats. (5 pages)

100 Resilient Cities and Microsoft Announce Partnership to Help Cities Build Cybersecurity

100 Resilient Cities and Microsoft

January 15, 2015

100 Resilient Cities, pioneered by the Rockefeller Foundation, entered a partnership with Microsoft Corporation to help cities build cybersecurity strategies and combat online threats. Microsoft will provide the following to select 100RC member cities: best practices and resources for cities to develop a cybersecurity strategy as part of their resilience program; cybersecurity experts who will lead workshops to help cities prioritize their cyber needs; and facilitation of cybersecurity knowledge exchanges at 100RC-organized city workshops.

State Governments at Risk: Time to Move Forward: 2014 Deloitte-NASCIO Cybersecurity Study

Deloitte and Touche and NASCIO

October 2014

A majority of elected officials in state governments are confident in their abilities to defend against cyberthreats, but only one-quarter of state chief information security officers (CISOs) feel the same way, according to a new survey. The survey of 49 state CISOs or their equivalents and 186 other state officials cited barriers to cybersecurity included low budgets and difficulty recruiting top talent. Three-quarters of the CISOs surveyed said lack of sufficient funding is a major barrier to addressing cyberthreats, although almost half said cybersecurity budgets have increased year over year. (32 pages)

2014 Digital States Survey

Center for Digital Government (CDG)

September 2, 2014

Every two years, the CDG, the research and advisory arm of Government Technology's parent company eRepublic, evaluates state government's ability to improve internal processes and better serve citizens.

Cybersecurity and Connecticut's Public Utilities

Connecticut Public Utilities Regulatory Authority

April 14, 2014

The document is a plan for Connecticut's utilities to help strengthen defense against possible future threats, such as a cyberattack. Connecticut is the first state to present a cybersecurity strategy in partnership with the utilities sector and will share it with other states working on similar plans. Among other findings, the report recommends that Connecticut commence self-regulated cyber audits and reports and move toward a third-party audit and assessment system. The report also makes recommendations regarding local and regional regulatory roles, emergency drills and training, coordinating with emergency management officials, and handling confidential information. (31 pages)

State and Local Government Cybersecurity

White House

April 2, 2014

The White House in March 2014 convened a broad array of stakeholders, including government representatives, local government-focused associations, private-sector technology companies, and multiple federal agency partners, at the State and Local Government Cybersecurity Framework Kickoff event.

Framework for Improving Critical Infrastructure Cybersecurity

National Institute of Standards and Technology (NIST)

February 12, 2014

The voluntary framework consists of cybersecurity standards that can be customized to various sectors and adapted by large and small organizations. DHS announced the Critical Infrastructure Cyber Community (C3)—or "C-cubed"—voluntary program. The C3 program gives state and local governments and companies that provide critical services, such as cell phones, email, banking, and energy direct access, to DHS cybersecurity experts who have knowledge about specific threats, ways to counter those threats, and how, over the long term, to design and build systems that are less vulnerable to cyberthreats. (41 pages)

State Cybersecurity Resource Guide: Awareness, Education and Training Initiatives


October 2013

The guide includes new information from NASCIO's state members, including examples of state awareness programs and initiatives. This additional resource of best-practice information and an interactive state map allow users to drill down to the actual resources that states have developed or are using to promote cyber awareness. It includes contact information for the CISOs; hyperlinks to state security and security awareness pages; and information describing cybersecurity awareness, training, and education initiatives. (64 pages)

Cybersecurity for State Regulators 2.0 with Sample Questions for Regulators to Ask Utilities

National Association of Regulatory Utility Commissioners

February 2013

State commissions tasked with regulating local distribution utilities are slow to respond to emerging cybersecurity risks. The annual membership directory of state utility regulators lists hundreds of key staff members of state commissions throughout the country but not a single staff position had "cybersecurity" in the title. (31 pages)

Critical Infrastructure Protection: More Comprehensive Planning Would Enhance the Cybersecurity of Public Safety Entities' Emerging Technology

Government Accountability Office

January 27, 2013

GAO reviewed federal coordination with state and local governments regarding cybersecurity at public-safety entities. The objective was to determine the extent to which federal agencies coordinated with state and local governments concerning cybersecurity efforts at emergency operations centers, public-safety answering points, and first-responder organizations involved in handling 911 emergency calls. GAO analyzed relevant plans and reports and interviewed officials at five agencies that were identified based on their roles and responsibilities established in federal law, policy, and plans as well as at selected industry associations and state and local governments. (41 pages)

Source: Highlights compiled by CRS from the reports.

Note: Page counts are documents; other cited resources are web pages.

Table 2. International: General

(includes international laws, legislation and agreements, supply chain vulnerabilities, and intellectual property theft)





The Cyber Hub

Booz Allen Hamilton and the Economist Intelligence Unit

Continuously Updated

The Cyber Hub's content includes integral parts: an index that assesses specific aspects of the cyber environment of the G20 countries and a series of research papers that examine the implications for the business community.

Global Cybersecurity Index

International Telecommunications Union

Continuously Updated

Based on questionnaire responses received by member states of the International Telecommunications Union, a first analysis of cybersecurity development in the Arab region was compiled and one for Africa is under way. The objective is to release a global status of cybersecurity for 2014.

Explorations in Cyber International Relations (ECIR): Cyberspace and Cyber Politics

Massachusetts Institute of Technology (MIT) and Harvard

Continuously Updated

ECIR is a collaborative and interdisciplinary research program that seeks to create a field of international cyber relations for the 21st century. It is designed as a theoretically rich, technically informed initiative anchored in diverse tools and methods to identify, measure, model, interpret, and analyze emergent issues, challenges, and responses. The ECIR research plan integrates social sciences, legal studies, computer science, and policy analysis. The research team brings together personnel and institutional resources from MIT and Harvard. After the conclusion of the final exercise next year, the EU will release some top-level lessons learned.

INCYDER Resources

NATO Cooperative Cyber Defense Center of Excellence (Tallin, Estonia)

Continuously Updated

The interactive research tool focuses on the legal and policy documents adopted by international organisations active in cyber security. The collection of documents is periodically updated and supported by a comprehensive system of tags that enable filtering the content by specific sub-domains. INCYDER also features descriptions and news about these selected organisations.

Cyber Security Strategy Documents

NATO Cooperative Cyber Defense Center of Excellence (Tallin, Estonia)

Continuously Updated

The site provides links to national cyber security policy and legal documents. This includes national security and defence strategies that address cyber; national cyber/information security strategies; and relevant legal acts. It is primarily focused on NATO Nations and Partners (includes Euro-Atlantic Partnership Council (EAPC), NATO's Mediterranean Dialogue, Istanbul Cooperation Initiative (ICI), and Partners across the globe), but other national strategies are included as available.

Cyber Leadership

Pell Center for International Relations and Public Policy

Continuously Updated

"Leadership in a Cyber Age" is an initiative intended to help prepare America's institutional leaders for the complexities of operating in an era of cyber threat. Ongoing research seeks to identify and investigate key issues in leadership development across society and to recommend improvements so that the United States, as a society, is prepared for the threats of the modern world.

Office of the Coordinator for Cyber Issues (S/CCI)

State Department

Continuously Updated

S/CCI coordinates the department's global diplomatic engagement on cyber issues and serves as the department's liaison to the White House and federal departments and agencies on cyber issues. S/CCI's coordination function spans the full spectrum of cyber-related issues to include security, economic issues, freedom of expression, and free flow of information on the Internet.

International Security Advisory Board (ISAB)

State Department

Continuously Updated

The ISAB provides the department with independent insight and advice on all aspects of arms control, disarmament, international security, and related aspects of public diplomacy. The board provides its recommendations to the Secretary of State.

DHS Statement on the Issuance of Binding Operational Directive 17-01 (Kaspersky Products Ban)


September 13, 2017

DHS has issued a binding operational directive (BOD) requiring all federal agencies to cease the use of Kaspersky Lab products and services. The agencies have 30 days to identify which products are in use and then 60 days beyond that to create plans to remove them. After 90 days, agencies will need to begin the process of removing the products and services.

How An Entire Nation Became Russia's Test Lab for Cyberwar

Wired Magazine

July 1, 2017

"... And the blackouts weren't just isolated attacks. They were part of a digital blitzkrieg that has pummeled Ukraine for the past three years—a sustained cyber­assault unlike any the world has ever seen. A hacker army has systematically undermined practically every sector of Ukraine: media, finance, transportation, military, politics, energy. Wave after wave of intrusions have deleted data, destroyed computers, and in some cases paralyzed organizations' most basic functions. 'You can't really find a space in Ukraine where there hasn't been an attack,' says Kenneth Geers, a NATO ambassador who focuses on cybersecurity."

Why So Many Top Hackers Hail from Russia

Krebs on Security

June 17, 2017

Conventional wisdom says one reason so many hackers seem to hail from Russia and parts of the former Soviet Union is that these countries have traditionally placed a much greater emphasis than educational institutions in the West on teaching information technology in middle and high schools, and yet they lack a Silicon Valley-like pipeline to help talented IT experts channel their skills into high-paying jobs. This post explores the first part of that assumption by examining a breadth of open-source data.

Tainted Leaks: Disinformation and Phishing with a Russian Nexus

Citizen Lab at the Munk School of Global Affairs at the University of Toronto

May 25, 2017

Researchers have discovered an extensive international hacking campaign that steals documents from its targets, carefully modifies them and repackages them as disinformation aimed at undermining civil society and democratic institutions. The investigators say the campaign shows clear signs of a Russian link. The report also demonstrates overlap with cyberattacks used in the U.S. and French presidential elections, which American and European intelligence agencies and cybersecurity companies have attributed to hacking groups affiliated with the Russian government.

Toward a Global Norm Against Manipulating the Integrity of Financial Data

Carnegie Cyber Policy Initiative

March 28, 2017

This white paper proposes that the G20 heads of state should explicitly commit not to manipulate the integrity of data and algorithms of financial institutions and to cooperate when such incidents occur. (20 pages)

United States Key Deliverables for the 2016 North American Leaders' Summit (U.S.-Canada-Mexico trilateral discussion)

White House

June 29, 2016

(Scroll down to the Cyber Cooperation section). Leaders affirm that no country should conduct or knowingly support (1) online activity that intentionally damages critical infrastructure or otherwise impairs the use of critical infrastructure to provide services to the public; (2) activity intended to prevent national computer security incident response teams (CSIRTs) from responding to cyber incidents, or use CSIRTs to enable online activity that is intended to do harm; and (3) cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to its companies or commercial sectors; and that (4) every country should cooperate, consistent with its domestic law and international obligations, with requests for assistance from other states in mitigating malicious cyber activity emanating from its territory.

One Internet

Global Commission on Internet Governance

June 22, 2016

The report recommends strict legal controls on the aggregation of personal metadata, net neutrality, open standards, and the mandatory public reporting of high-threshold data breaches. It also offers opinions on areas such as the sharing economy, blockchains, the Internet of Things, IPv6, and DNSSEC. (138 pages)

An American Strategy for Cyberspace: Advancing Freedom, Security, and Prosperity

American Enterprise Institute

June 14, 2016

The report puts forward a strategic plan grounded in the realities of cyberspace itself, including the rapid pace of change; the importance of economies of scale and scope; the extent to which it is integrated into modern economies, cultures, and political structures; and its inherently global nature. Like our analysis, our recommendations are organized into four areas: Internet Freedom and Human Rights, International Trade and Digital Commerce, Cybercrime and Law Enforcement, and Critical Infrastructure and Cyber Defense. (83 pages)

The Global Risks Report 2016

World Economic Forum

January 14, 2016

In this annual survey, almost 750 experts assessed 29 separate global risks for both impact and likelihood over a 10-year time horizon. Technological risk, where the highest ranking risk is cyberattack, ranked 11th in both likelihood and impact. The report features 13 trends. This year, climate change, rising income and wealth disparity, and the rise of cyber dependency are the three trends assessed as most important in shaping global development in the next 10 years. (103 pages)

Cyber Defense: An International View

U.S. Army War College Strategic Studies Institute

September 2015

An overview of four different national approaches to cyber defense is discussed: those of Norway, Estonia, Germany, and Sweden. The paper provides a useful guide for engagement with the relevant governmental and other organizations in each of these countries. It compares and contrasts the advantages and drawbacks of each national approach. (65 pages)

DRAFT Report on Strategic U.S. Government Engagement in International Standardization to Achieve U.S. Objectives for Cybersecurity (2 Volumes)

National Institute of Standards and Technology (NIST)

August 10, 2015

The report calls for a White House-led oversight body, with the Department of Commerce (DOC) acting as a "subordinate interagency working group" working on behalf of the President. Major policy decisions would be brought to the White House. Federal agencies should make long-term commitments to support international cybersecurity standards by assigning staff specialists to work with standards development organizations. In addition, NIST suggests prioritizing cybersecurity standards that minimize privacy risks. (104 pages)

Russian Underground 2.0

Trend Micro (Forward Looking Threat Team)

July 28, 2015

The Russian underground is a mature ecosystem that covers all aspects of cybercriminal business activities and offers an increasingly professional underground infrastructure for the sale of malicious goods and services. There is increasing professionalization of the crime business that allows cheaper prices to dominate sales and thereby make it easy and very affordable for anyone without significant skill to buy whatever is needed to conduct criminal dealings. (41 pages)

OAS and FIRST Sign Agreement to Improve Hemispheric Response to Cyber Incidents

Organization of American States (OAS)

May 28, 2015

OAS and the Forum of Incident Response and Security Teams (FIRST) plan to cooperate on cybersecurity incident response and to promote good cyber hygiene across the Americas. OAS and FIRST signed an agreement pledging to "jointly organize technical incident response activities focused on the needs and challenges of OAS member states" and to help implement OAS's Comprehensive Inter-American Strategy to Combat Threats to Cyber Security and its Declaration on Strengthening Cyber Security in the Americas, adopted by member states in 2004 and 2012, respectively.

Global Cybersecurity Index: Updated Report

International Telecommunication Union (ITU) and ABI Research

May 28, 2015

Each country profile features information on measures contained in the five key pillars of the Global Cybersecurity Index (GCI), as enshrined in the ITU's Global Cybersecurity Agenda, notably: legal, technical, organizational, capacity building, and cooperation. Information on child online protection measures will be added to each profile. The GCI has been an ongoing project between ITU and ABI Research to map out cybersecurity efforts undertaken at the national level. Each of the six regions (Africa, Americas, Arab States, Asia Pacific, the Commonwealth of Independent States, and Europe) saw regional champions emerge. Good practices from each region and from each of the pillars are highlighted. (528 pages)

Managing the Cyber Security Threat

Hoover Institution Working Group on Foreign Policy and Grand Strategy

December 12, 2014

The cyber threat needs to be managed through a combination of being realistic and honest about our willingness and capacity to guarantee security in this area; accepting multilateral arrangements to protect commerce and critical infrastructure and leaving traditional forms of intelligence and military activities unregulated; and allowing private companies and individuals to use strong encryption or open-source software without built-in vulnerabilities. (6 pages)

Legal Issues Related to Cyber

NATO Legal Gazette

December 2014

The NATO Legal Gazette contains thematically organized articles usually written by military or civilian legal personnel working at NATO or in the governments of NATO and partner nations. Its purpose is to share articles of significance for the large NATO legal community and connect legal professionals of the Alliance. It is not a formal NATO document. (74 pages)

A Role for Civil Society in Cybersecurity Affairs?

ICT4Peace Foundation

September 3, 2014

Civil society does not include the private sector. Nevertheless, natural alliances are emerging between certain of the more tech-oriented civil society organisations (e.g., the Internet Society or the Institute of Electrical and Electronics Engineers (IEEE) and some Tier 1 carriers (i.e., those carriers with a direct connection to the Internet and networks they use to deliver voice and data services), and major transnational vendors and Internet Service Providers (ISPs). (26 pages)

Consult, Command, Control, Contract: Adding a Fourth "C" to NATO's Cyber Security

Centre for International Governance Innovation

August 6, 2014

The authors suggest that NATO should implement a contracting protocol that delineates appropriate classifications for the tasks and personnel required for private cybersecurity contracts. They conclude that establishing an oversight organization and submitting a proposal to the International Law Commission to consider the roles of private security actors would create greater transparency and accountability for contracting. (10 pages)

Baseline Review: ICT-Related Processes and Events, Implications for International and Regional Security (2011-2013)

ICT4Peace Foundation

May 1, 2014

The report is structured around the following three areas: (1) international and regional security; (2) transnational crime and terrorism; and (3) governance, human rights, and development. These areas are interdependent, yet they have traditionally been approached separately through distinct communities of practice and fora. The report is intended to serve as a baseline for future annual reports. It covers January 2011-December 2013 and provides background on earlier events. (50 pages)

2013 Joint Report

U.S.-Russia Bilateral Presidential Commission (BPC)

December 27, 2013

The report includes updates from each of the BPC's 21 working groups. (See the "Working Group on the Threats to and in the Use of Information Communications Technologies in the Context of International Service" section on pages 11-12.) A key component of the discussion is the implementation of the bilateral confidence building measures (CBMs) announced by Presidents Obama and Putin in June 2013. (40 pages)

WFE Launches Global Cyber Security Committee

World Federation of Exchanges (WFE)

December 12, 2013

The WFE launched the exchange industry's first cybersecurity committee with a mission to aid in the protection of the global capital markets. The working group brings together representation from a number of exchanges and clearinghouses across the globe to collaborate on best practices in global security.

Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security

United Nations General Assembly, Group of Governmental Experts

June 24, 2013

The report states that UN-member states should abide by international law, particularly the UN Charter, when operating in cyberspace; honor the norm of state responsibility for cyberattacks emanating from their territory; work to develop confidence building measures to reduce the risk of conflict by increasing the predictability of state actions; and engage in capacity building efforts to assist developing countries in building the required skills to protect their networks and citizens. (13 pages)

Confidence Building Measures and International Cybersecurity

ICT4Peace Foundation

June 21, 2013

Confidence-building measures can lay the foundation for agreeing on acceptable norms of behavior for states, and confidence- and trust-building measures can help to avoid miscalculation and escalation. The report is divided into four main sections: (1) Transparency, Compliance, and Verification Measures; (2) Cooperative Measures; (3) Collaboration and Communication Mechanisms; and (4) Stability and Restraint Measures. A final section discusses next steps for diplomatic confidence-building processes. (21 pages)

FACT SHEET: U.S.-Russian Cooperation on Information and Communications Technology Security

White House

June 17, 2013

The United States and the Russian Federation created a new working group, under the auspices of the Bilateral Presidential Commission, dedicated to assessing emerging ICT threats and proposing concrete joint measures to address them.

Telecommunications Networks: Addressing Potential Security Risks of Foreign-Manufactured Equipment

Government Accountability Office (GAO)

May 21, 2013

The federal government began efforts to address the security of the supply chain for commercial networks. There are a variety of approaches for addressing the potential risks posed by foreign-manufactured equipment in commercial communications networks, including those taken by foreign governments. Although these approaches are intended to improve supply chain security of communications networks, they may also create the potential for trade barriers, additional costs, and constraints on competition, which the federal government would have to take into account if it chose to pursue such approaches. (52 pages)

Remaking American Security: Supply Chain Vulnerabilities and National Security Risks Across the U.S. Defense Industrial Base

Alliance for American Manufacturing

May 2013

Because the supply chain is global, it makes sense for U.S. officials to cooperate with other nations to ward off cyberattacks. Increased international cooperation to secure the integrity of the global IT system is a valuable long-term objective. (355 pages)

The Tallinn Manual on the International Law Applicable to Cyber Warfare

Cambridge University Press/ NATO Cooperative Cyber Defence Center of Excellence

March 5, 2013

The Tallinn Manual identifies the international law applicable to cyber warfare and sets out 95 "black-letter rules" governing such conflicts. An extensive commentary accompanies each rule, which sets forth each rules' basis in treaty and customary law, explains how the group of experts interpreted applicable norms in the cyber context, and outlines any disagreements within the group as to each rules' application. (Note: The manual is not an official NATO publication, but an expression of opinions of a group of independent experts acting solely in their personal capacity.) (302 pages)

Worldwide Threat Assessment of the U.S. Intelligence Community (Testimony)

James Clapper, Director of National Intelligence

February 11, 2013

Clapper provided an assessment of global threats: U.S. critical infrastructure, eroding U.S. economic and national security, information control and Internet governance, and hacktivists and criminals. (34 pages)

Linking Cybersecurity Policy and Performance

Microsoft Trustworthy Computing

February 6, 2013

Introduces a new methodology for examining how socioeconomic factors in a country or region impact cybersecurity performance. Examines measures such as use of modern technology, mature processes, user education, law enforcement, and public policies related to cyberspace. This methodology can build a model that will help predict the expected cybersecurity performance of a given country or region. (27 pages)

Comprehensive Study on Cybercrime

United Nations Office on Drugs and Crime

February 2013

The study examined the problem of cybercrime from the perspective of governments, the private sector, academia, and international organizations. The results are presented in eight chapters, covering (1) Internet connectivity and cybercrime; (2) the global cybercrime picture; (3) cybercrime legislation and frameworks; (4) criminalization of cybercrime; (5) law enforcement and cybercrime investigations; (6) electronic evidence and criminal justice; (7) international cooperation in criminal matters involving cybercrime; and (8) cybercrime prevention. (320 pages)

Administration Strategy for Mitigating the Theft of U.S. Trade Secrets

White House

February 2013

The report states, "First, we will increase our diplomatic engagement.... Second, we will support industry-led efforts to develop best practices to protect trade secrets and encourage companies to share with each other best practices that can mitigate the risk of trade secret theft.... Third, DOJ will continue to make the investigation and prosecution of trade secret theft by foreign competitors and foreign governments a top priority.... Fourth, President Obama recently signed two pieces of legislation that will improve enforcement against trade secret theft.... Lastly, we will increase public awareness of the threats and risks to the U.S. economy posed by trade secret theft." (141 pages)

The Challenge of Cyber Power for Central African Countries: Risks and Opportunities

Naval Postgraduate School

December 2012

According to the report, Central African militaries, which are supposed to be the first line of defense for their governments' institutions, are dramatically behind the times. To address this situation, the governments of Central Africa need to adopt a collaborative cyber strategy based on common investment in secure cyber infrastructures. Such cooperation will help to create a strong cyber environment conducive of the confidence and trust necessary for the emergence of a cyber community of Central African States (C3AS). For Central African militaries, massive training and recruiting will be the first move to begin the process of catching up. (209 pages)

Cybersecurity: Managing Risks for Greater Opportunities

Organization for Economic Co-operation and Development (OECD)

November 29, 2012

The OECD launched a broad consultation of all stakeholders from member and nonmember countries to review its security guidelines. The review takes into account newly emerging risks, technologies, and policy trends in areas such as cloud computing, digital mobility, the Internet of things, and social networking.

Cybersecurity Policy Making at a Turning Point: Analysing a New Generation of National Cybersecurity Strategies for the Internet Economy


November 16, 2012

The report analyzes the latest generation of national cybersecurity strategies in 10 OECD countries and identifies commonalities and differences. (117 pages)

Australia: Telecommunications Data Retention—an Overview

Parliamentary Library of Australia 

October 24, 2012

In July 2012, the Commonwealth Attorney General's Department released a discussion paper, Equipping Australia against emerging and evolving threats, on the proposed national security reforms. Of the 18 primary proposals and the 41individual reforms that they comprised, the issue that seems to have attracted the most attention is the suggestion that carriage service providers (CSPs) be required to routinely retain certain information associated with every Australian's use of the Internet and phone services for a period of up to two years (i.e., data retention). (32 pages)

United States Counter Terrorism Cyber Law and Policy, Enabling or Disabling?

Triangle Institute for Security Studies

March 2012

The incongruence between national counterterrorism (CT) cyber policy, law, and strategy degrades the abilities of federal CT professionals to interdict transnational terrorists from within cyberspace. Specifically, national CT cyber policies that are not completely sourced in domestic or international law unnecessarily limit the latitude cyber CT professionals need to effectively counter terrorists using organic cyber capabilities. (34 pages)

Cyber-security: The Vexed Question of Global Rules: An Independent Report on Cyber-Preparedness Around the World


February 1, 2012

Forty-five percent of legislators and cybersecurity experts representing 27 countries think cybersecurity is just as important as border security. The authors surveyed 80 professionals from business, academia, and government to gauge worldwide opinions of cybersecurity. (108 pages)

Foreign Spies Stealing US Economic Secrets in Cyberspace

Office of the National Counterintelligence Executive

October 2011

According to the report, espionage and theft through cyberspace are growing threats to the United States' security and economic prosperity, and the world's most persistent perpetrators happen to also be U.S. allies. (31 pages)

International Strategy for Cyberspace

White House/Office of Management and Budget

May 16, 2011

The strategy marks the first time any Administration has attempted to set forth in one document the U.S. government's vision for cyberspace, including goals for defense, diplomacy, and international development. (30 pages)

Working Towards Rules for Governing Cyber Conflict: Rendering the Geneva and Hague Conventions in Cyberspace

EastWest Institute

February 3, 2011

According to the report, the authors "led [a group of] cyber and traditional security experts through a point-by-point analysis of the Geneva and Hague Conventions. Ultimately, the group made five immediate recommendations for Russian and U.S.-led joint assessments, each exploring how to apply a key convention principle to cyberspace." (60 pages)

United States Faces Challenges in Addressing Global Cybersecurity and Governance


August 2, 2010

GAO recommends that the special assistant to the President and cybersecurity coordinator should make recommendations to appropriate agencies and interagency coordination committees regarding any necessary changes to more effectively coordinate and forge a coherent national approach to cyberspace policy. (53 pages)

The Reliability of Global Undersea Communications Cable Infrastructure (The ROGUCCI Report)

Institute of Electrical and Electronics Engineers/EastWest Institute

May 26, 2010

This study submits 12 major recommendations to the private sector, governments, and other stakeholders—especially the financial sector—for the purpose of improving the reliability, robustness, resilience, and security of the world's undersea communications cable infrastructure. (186 pages)

Source: Highlights compiled by CRS from the reports.

Notes: Note: Page counts are documents; other cited resources are web pages.

Table 3. International: China





China's Threat to the Competitiveness and Security of the U.S. Semiconductor Industry

Stewart and Stewart

February 17, 2017

The U.S. semiconductor industry is experiencing a slowdown in the pace of technological development, and its competitiveness is being threatened by China's targeted interference in the semiconductor market through non-market means. These issues have raised serious concerns at senior levels of the U.S. government in both the Obama and Trump Administrations. The authors elaborate on China's actions and discuss some of the legal mechanisms available to the U.S. government and domestic industry to combat the threats posed by China's policies. (10 pages)

Third U.S.-China High-Level Joint Dialogue on Cybercrime and Related Issues


December 8, 2016

The dialogue aims to review the timeliness and quality of responses to requests for information and assistance with respect to cybercrime or other malicious cyber activities, and to enhance pragmatic bilateral cooperation with regard to cybercrime, network protection and other related issues. Both sides endorse the establishment of the dialogue mechanism as beneficial to bilateral communication and enhanced cooperation, and believe that further solidifying, developing, and maintaining the dialogue mechanism and continuing to strengthen bilateral cooperation in cybersecurity is beneficial to mutual interests.

Science, Space, and Technology Committee's Investigation of FDIC's Cybersecurity

House Science, Space, and Technology Committee (Staff Report)

July 12, 2016

According to congressional investigators, the Chinese government hacked into 12 computers and 10 backroom servers at the FDIC, including the personal computers of the agency's top officials: the FDIC chairman, his chief of staff, and the general counsel. When congressional investigators tried to review the FDIC's cybersecurity policy, the agency hid the hack. (25 pages)

Trends in Chinese Cyber Espionage Campaigns

(registration required)

U.S. State Department - Overseas Security Advisory Council

June 27, 2016

The report assesses the recent FireEye report tracking network compromises by China-based hackers since mid-2014. Multiple studies have contributed to the assessment that China-based network intrusions are still ongoing, only a fraction of which may be detected by researchers. Despite the decline shown in metrics, China remains a serious cyber-threat actor to U.S. firms. (3 pages)

Redline Drawn: China Recalculates Its Use of Cyber Espionage

FireEye iSight Intelligence

June 2016

Chinese hacking of U.S. government and corporate networks has sharply declined since 2014. FireEye observed only a handful of network intrusions attributed to Chinese groups in April of this year, down from more than 60 in February of 2013. The shift is likely the result of a confluence of factors, including actions taken by the U.S. government— but it is not solely the result of a September anti-hacking pledge struck by President Obama and Chinese President Xi Jinping. (16 pages)

Military and Security Developments Involving the People's Republic of China 2016: Annual Report to Congress

Department of Defense

April 26, 2016

DOD's annual report to Congress on China's capabilities asserts that China's military conducted cyber probes and intrusions against U.S. computer networks to support intelligence collection and electronic warfare…. Highlighting what the Pentagon describes as China's focus on improving cyber capabilities to counter a "stronger foe," the report concludes that information gleaned by hackers "could inform Chinese military planners' work to build a picture of U.S. defense networks, logistics, and related military capabilities that could be exploited during a crisis." (156 pages)

Getting to Yes with China in Cyberspace

RAND Corporation

March 2016

The study looks at two basic questions: Can the United States and China achieve meaningful outcomes through formal negotiations over norms and rules in cyberspace? And, if so, what areas are most likely to yield agreement and what might be exchanged for what? The analysis should be of interest to two communities: those concerned with U.S. relations with China and those concerned with developing norms of conduct in cyberspace, notably those that enhance security and freedom. (121 pages)

Cyber Security in the Asia-Pacific

(Chapter from Research Handbook on International Law and Cyberspace)

December 31, 2015

ASEAN. The ARF and APEC have sought to prevent, regulate, and mitigate the effects of malicious use of the Internet for criminal and terrorist purposes, largely through enhancing information sharing between national CERTs and domestic law enforcement agencies, and by setting regional standards for national cyber-related laws and policy. However, these measures only go some way to addressing regional cyber security concerns, and their effectiveness is threatened by new challenges, in particular the emerging preeminence of sovereignty considerations in cyber policymaking. (Note: Cyber Security in the Asia-Pacific chapter starts on p. 10.) (18 pages)

2015 Annual Report to Congress

U.S.-China Economic Commission

November 17, 2015

Reportedly, China causes increasing harm to the U.S. economy and security through two deliberate policies targeting the U.S.-coordinated, government-backed theft of information from a wide variety of U.S.-based commercial enterprises and widespread restrictions on content, standards, and commercial opportunities for U.S. businesses. Hackers working for the Chinese government—or with the government's support and encouragement—have infiltrated the computer networks of U.S. government agencies, contractors, and private companies, and stolen personal information and trade secrets. (See Chapter 1, Section 4: Commercial Cyber Espionage and Barriers to Digital Trade in China.) (631 pages)

The U.S.-China Military Scorecard: Forces, Geography, and the Evolving Balance of Power, 1996-2017

RAND Corporation

September 14, 2015

The report, which rates the capabilities of U.S. and Chinese militaries over the course of two situations, a conflict over Taiwan and one over the Spratly Islands, dedicates an entire chapter to the respective cyber capabilities of both sides. As it maps out the potential conflicts, and in turn the potential ways each country could attack the other's network, it becomes apparent why a first agreement between President Barack Obama and President Xi might focus on the rules of the road for attacks on core infrastructure instead of on better publicized Chinese attacks aimed at gaining advantages and intellectual property for companies. See Chapter Eleven: Scorecard 9: U.S. and Chinese Cyberwarfare Capabilities, pp 259-284. (430 pages)

Cyber Security Research in China

Asian Technology Information Program

June 5, 2015

This report reviews major government research projects and introduces the leading research groups in the field of cyber security in China. It provides an overview of the recent progress made in the areas of cryptography, web security, intrusion detection and attack analysis, cloud security, mobile security, and security of wireless sensor networks in China. (27 pages)

APT30 and the Mechanics of a Long-Running Cyber-Espionage Operation: How a Cyber Threat Group Exploited Governments and Commercial Entities Across Southeast Asia and India for Over a Decade


April 2015

A Chinese government hacking team has used the same basic set of tools to spy on Southeast Asian and Indian dignitaries for a decade, demonstrating the low level of cyber defenses protecting government information across broad swaths of the world. Because this group, APT30, has been able to use the same basic set of malware tools against government networks since at least 2005 suggests its targets remained unaware for more than a decade they were being spied on, or were incapable of countering the threat. (70 pages)

Inquiry into Cyber Intrusions Affecting U.S. Transportation Command Contractors

Senate Armed Services Committee

September 17, 2014

Hackers associated with the Chinese government successfully penetrated the computer systems of Transportation Command (TRANSCOM) contractors 20 times in the course of a single year. Chinese hackers tried to get into the systems 50 times. The congressional committee found that only two of the intrusions were detected, and that officials were unaware due in large part to unclear requirements and methods for contractors to report breaches and for government agencies to share information. (52 pages)

Mapping the Cyber Dragon: China's Conduct of Terror in the Cyber World

Defense and Diplomacy Journal

July-September 2014

"[A]mong all the major players of the world, one country which participates in, and practices, all the above mentioned forms of cyber conflict, not only in the military sector but also in the civilian sector, is the People's Republic of China (PRC). Therefore, for a broader perspective of global cyber security, it is imperative to understand the various types of modus operandi and other methodologies of different groups, in both military and civilian sectors involved in cyber conflicts, from China who are creating potential terror in the cyber domain." (13 pages)

Global Cybercrime: The Interplay of Politics and Law

Centre for International Governance Innovation

June 20, 2014

The paper explores the recent unsealing of a 31-count indictment against five Chinese government officials and a significant cyber breach perpetrated by Chinese actors against Western oil, energy, and petrochemical companies. Increased cooperation among governments is necessary but unlikely to occur as long as the discourse surrounding cybercrime remains so heavily politicized and securitized. (23 pages)

China and International Law in Cyberspace

U.S.-China Economic and Security Review Commission

May 7, 2014

Despite major differences on cyberspace policy between the United States and China, a development at the United Nations illustrates basic areas of agreement. The United States and China were among 15 countries affirming the applicability of international law to cyberspace in a 2013 UN report. The same group will gather in 2014 to address some of the more challenging and divisive concepts regarding state responsibility and use of force in cyberspace. (11 pages)

Cyber Maturity in the Asia-Pacific Region 2014

Australian Strategic Policy Institute

April 14, 2014

The institute assesses regional digital maturity across government, business, society, and the military. Australia comes out ahead of China, Japan, and South Korea regarding overall digital strength in the region and ranks third behind the United States and China in cyber warfare. The Asia-Pacific region is increasingly the focus of cyberattacks, including criminal and state-sponsored hacking and espionage. (76 pages)

2013 Annual Report to Congress

U.S.-China Economic Commission

October 20, 2013

In 2013, the commission continued to closely examine China's cyber capabilities. Strong evidence emerged that the Chinese government is directing and executing a large-scale cyber-espionage campaign against the United States, including the U.S. government and private companies. However, public exposure of this cyber espionage apparently has not changed China's attitude about the use of cyber espionage to steal intellectual property and proprietary information. (See Chapter 2, Section 2: "China's Cyber Activities.") (465 pages)

Military and Security Developments Involving the People's Republic of China 2013 (Annual Report to Congress)

Department of Defense (DOD)

May 6, 2013

China is using its computer network exploitation capability to support intelligence collection against the U.S. diplomatic, economic, and defense industrial base sectors that support U.S. national defense programs. The information targeted could potentially be used to benefit China's defense industry; high-technology industries; policymaker interest in U.S. leadership thinking on key China issues; and military planners building a picture of U.S. defense networks, logistics, and military- related capabilities that could be exploited during a crisis. (92 pages)

Cyber Incidents Attributed to China

Center for Strategic and International Studies

March 11, 2013

Evidence that China and Chinese hackers are responsible for the many incidents attributed to them. CSIS did a review of open source literature identifying China as the source of hacking and cyber espionage incidents. The paper provides an initial list of other major cyber incidents attributed to China by officials in Australia, Canada, France, Germany, India, Japan, the UK, and other countries not discussed. The list is divided into two parts. The first section lists reports that identify specific individuals and entities; the second section refers to incidents ascribed generally to China. These reports identify six groups and 14 individuals, all but one connected to the Chinese government and most with connections to the People's Liberation Army (PLA), as responsible for cyber espionage. (15 pages)

APT1 [Advanced Persistent Threat 1]: Exposing One of China's Cyber Espionage Units


February 19, 2013

Mandiant conducted hundreds of investigations on computer security breaches around the world. The details analyzed during these investigations signal that the groups conducting these breaches are based primarily in China and that the Chinese government is aware of them. (76 pages)

Video Demo of Chinese Hacker Activity


February 19, 2013

Five-minute video of APT1 attacker sessions and intrusion activities. (Click on "APT1 Video" at top right of screen.)

The Chinese Defense Economy Takes Off: Sector-by-Sector Assessments and the Role of Military End-Users (series 4)

University of California Institute on Global Conflict and Cooperation

January 25, 2013

The collection of 15 policy briefs explores how China has made such impressive military technological progress over the past few years, what is in store, and what are the international security implications. The briefs are summaries of a series of longer research papers presented at the third annual Chinese defense economy conference held by the Study of Innovation and Technology in China in July 2012. (87 pages)

2012 Report to Congress of the U.S.-China Economic and Security Review Commission, 112th Congress, Second Session, November 2012

U.S.-China Economic and Security Review Commission

November 2012

The report responds to the mandate for the commission "to monitor, investigate, and report to Congress on the national security implications of the bilateral trade and economic relationship between the United States and the People's Republic of China." See "China's Cyber Activities," Chapter 2, Section 2, pp. 147-169. (509 pages)

More Than Meets the Eye: Clandestine Funding, Cutting-Edge Technology and China's Cyber Research and Development Program

Lawrence Livermore National Laboratory

October 17, 2012

The report analyzes how the Chinese leadership views information technology research and development (R&D) as well as the role cyber R&D plays in China's various strategic development plans. It explores the organizational structure of China's cyber R&D base and concludes with a projection of how China might field new cyber capabilities for intelligence platforms, advanced weapons systems, and systems designed to support asymmetric warfare operations. (17 pages)

Investigative Report on the U.S. National Security Issues Posed by Chinese Telecommunications Companies Huawei and ZTE

House Permanent Select Committee on Intelligence

October 8, 2012

The committee initiated this investigation in November 2011 to inquire into the counterintelligence and security threat posed by Chinese telecommunications companies doing business in the United States. (60 pages)

Bilateral Discussions on Cooperation in Cybersecurity 

China Institute of Contemporary International Relations (CICIR) and the Center for Strategic and International Studies (CSIS)

June 2012

Since 2009, CSIS and CICIR have held six formal meetings on cybersecurity called "Sino-U.S. Cybersecurity Dialogues." A broad range of U.S. and Chinese officials and scholars responsible for cybersecurity issues attended the meetings. The goals of the discussions were to reduce misperceptions and to increase both transparency among both countries' authorities and understanding regarding how each country approaches cybersecurity. The meetings also sought to identify areas of potential cooperation.

Source: Highlights compiled by CRS from the reports.

Note: Page counts are documents; other cited resources are web pages.

Table 4. International: Europe, EU, United Kingdom





Cyber Security Strategy: Progress So Far

Cabinet Office, United Kingdom

Continuously Updated

A National Cyber Security Programme (NCSP) backed by £650 million of funding to 2015 was put in place to support the strategy. An additional £210 million in 2015 to 2016 increased that investment. This funding builds on existing projects and supports new investments, enabling the UK to retain its emerging reputation as a leader in the field of cyber security.

European Cybercrime Center (EC3)


Continuously Updated

The European Commission decided to establish a European Cybercrime Centre (EC3) at Europol. The center will be the focal point in the EU's fight against cybercrime, contributing to faster reactions in the event of online crimes. It will support EU member states and institutions in building operational and analytical capacity for investigations and cooperation with international partners.

Explorations in Cyber International Relations (ECIR)

Massachusetts Institute of Technology (MIT) and Harvard University

Continuously Updated

ECIR is a collaborative and interdisciplinary research program that seeks to create a field of international cyber relations for the 21st century. It is designed to identify, measure, model, interpret, and analyze emergent issues, challenges, and responses. The ECIR research plan integrates social sciences, legal studies, computer science, and policy analysis.

State of the Union 2017 - Cybersecurity: Commission scales up EU's response to cyber-attacks

European Commission

September 19, 2017

The European Commission unveils proposals for measures to boost cybersecurity in the EU. The package includes proposal for an EU Cybersecurity Agency to assist member states in dealing with cyber-attacks and a European certification scheme to ensure that products and services in the digital world are safe to use.

Cyber Diplomacy Toolbox

European Council

June 10, 2017

A joint framework, dubbed the "cyber diplomacy toolbox," will guide how member countries should uniformly respond to malicious cyber-activity, which includes steps to cooperatively impose economic sanctions, travel bans, asset freezes and blanket bans against responsible parties. The framework is expected to encourage cooperation, facilitate mitigation of immediate and long-term threats, and influence the behaviour of potential aggressors in the long term.

Reflection Paper on the Future of European Defense

European Commission

June 7, 2017

The European Commission wants a larger role in addressing cyberattacks including everything from "softer" diplomatic tools to a common cyber policy. The strategic paper does not specify upcoming initiatives, but it shows the commission's eagerness to take up a greater role in coordinating responses to cyberattacks and supporting EU countries with funding and expertise to increase their cyber defenses. The announcement included a communication of the EU's plan to pour €5.5 billion in the security and defense industry starting in 2020, including funding cyber research and cyber-defense projects. (24 pages)

DHS S&T Cyber Security Division 5-Year International Collaboration Broad Agency Announcement (BAA)


February 6, 2017

DHS is partnering with a dozen foreign governments and the EU to enhance global cybersecurity. The governments, including the U.K., Germany, and Israel, will help DHS evaluate white papers and proposals from contractor teams. They will work together on issues including network security and the human aspects of cybersecurity. The collaboration is part of a Broad Agency Announcement (BAA), against which specific requests will be issued. (1 page)

EU-NATO cooperation: Council adopt conclusions to implement Joint Declaration

EU, European Commission, NATO

December 6, 2016

The agreement will allow NATO and the EU's "fusion cells," groups of experts who are supposed to detect and help rebuff hybrid or cyberattacks, to synchronize their work and teams of on-call experts will be able to coordinate their planned responses.

G-7 Fundamental Elements of Cybersecurity for The Financial Sector

Treasury Department

October 11, 2016

The finance ministers and central bank governors of the G-7 countries released the fundamental elements, which provide a concise set of principles on best practices in cybersecurity for public and private entities in the financial sector. Public authorities, including finance ministries, central banks, and regulators, can also use the elements to inform their efforts to both protect the financial sector from cyberattacks and to effectively respond to and recover from incidents when they occur. (3 pages)

Directive on security of network and information systems (NIS Directive)

European Parliament

July 6, 2016

The European Parliament has approved cybersecurity legislation that "establish[es] a common level of network and information security and enhance[s] cooperation among EU member states, which will help prevent cyberattacks on Europe's important interconnected infrastructures." The new rules affect a broad spectrum of business sectors, including finance, energy, transportation, and technology. (30 pages)

G7 Ise-Shima Leaders Declaration

G7 Leaders

May 26, 2016

Cybersecurity: "We strongly support an accessible, open, interoperable, reliable and secure cyberspace as one essential foundation for economic growth and prosperity. We promote digital adoption for improved quality of life, by bridging digital divides, enabling innovative business models and affordable universal and high quality access to Information and Communication Technologies (ICTs) as well as enhancing digital literacy. We endorse the G7 Principles and Actions on Cyber and commit to take decisive actions." (32 pages)

Joint Declaration by G7 ICT Ministers (Action Plan on Implementing the Charter)

G7 ICT Ministers

April 30, 2016

Promoting cybersecurity. "(19.) We reaffirm our support for policies that improve cybersecurity as essential for the development of a trustworthy digitally connected world. As part of our efforts to address cybersecurity risks, threats and vulnerabilities, including those to ICT and ICT-enabled critical infrastructures, we endeavor to strengthen international collaboration, capacity building and public-private partnerships. We also support risk management based approaches to cybersecurity including research on methods to analyze threats and continue to work with all stakeholders on such efforts also through constructive discussions in international fora. (20.) To promote cybersecurity awareness, all stakeholders in the digitally connected world must take active responsibility. To this end, we recognize the importance of developing human capital to reduce threats to cybersecurity. That could be done through training, education and increased awareness to enable citizens, enterprises including critical infrastructure operators and governments to meet their objectives in an efficient manner."

Position of the Council at first reading with a view to the adoption of a Directive of the European Parliament and of the Council concerning measures for a high common level of security of network and information systems across the Union

European Union

April 21, 2016

European Union member states issued a directive that requires companies that suffer serious cyberattacks to notify authorities in the EU country in which they are based. The EU Network and Information Security (NIS) Directive would apply the notification obligation to companies in two categories: those considered to be in "critical sectors," and digital service providers—that is, online marketplaces, search engines, and cloud service providers. (77 pages)

Operationalizing Cybersecurity Due Diligence: A Transatlantic Comparative Case Study

South Carolina Law Review

January 12, 2016

Although much work has been done on applying the law of warfare to cyberattacks, far less attention has been paid to defining a law of cyber peace applicable below the armed attack threshold. Among the most important unanswered questions is what exactly nations' due diligence obligations are to one another and to the private sector, as well as how these obligations should be translated into policy. The article analyzes how both the United States and the European Union are operationalizing the concept of cybersecurity due diligence and investigates a menu of options presented to the European Parliament in November 2015 to further refine and apply this concept. (28 pages)

Cybersecurity in the European Union and Beyond: Exploring the Threats and Policy Responses

RAND Corp.

November 18, 2015

The report finds that the existing cybersecurity measures in the EU are fragmented, largely due to gaps in operational capabilities as well as strategic priorities of member states regarding cybersecurity. Whether the EU response to cybersecurity should adopt a formal and mandatory character is also debated. It suggests five policy options that the EP should consider in order to improve the EU's overall approach to cybersecurity. (153 pages)

FACT SHEET: The 2015 G-7 Summit at Schloss Elmau, Germany

White House

June 8, 2015

Member nations of the Group of Seven (G7) announced a new cooperative effort to guard the energy sector from hackers, cyber-spies, and other online attackers. The seven industrialized democracies will exchange information on methodologies for identifying cyber threats and vulnerabilities within the energy sector, sharing best practices and making "investment in cybersecurity capabilities and capacity building." See "Launching New Work on Energy Sector Cybersecurity" on the Fact Sheet.

European Agenda on Security

European Commission

April 28, 2015

The agenda pledges EU nations to review obstacles to cross-border cybercrime investigations, especially related to jurisdiction and evidence sharing. It also pledges EU institutions to follow through on commitments in the 28-nation bloc's 2013 Cybersecurity Strategy, especially by adopting a proposal for a binding EU-wide directive on network and information security. (21 pages)

EU Cybersecurity Dashboard: A Path to a Secure European Cyberspace

Business Software Alliance (BSA)

March 4, 2015

The report analyzes the current status of all 28 member states against pre-determined criteria for cybersecurity best practices. (20 pages)

Joint Committee Report on Risks and Vulnerabilities in the EU Financial System

European Banking Authority

March 2015

Cybercrime and computer failure are areas of great concern and should be included in financial firms' risk management procedures, according to a report by EU bank, insurance, and market regulators. Financial institutions should be encouraged to integrate IT security and resilience into their proprietary risk models. System security and IT strategy carry their own risks and complexities that can bleed across into more traditional forms of risk. (15 pages)

Fact Sheet: US-United Kingdom Cybersecurity Cooperation

White House

January 16, 2015

The UK's Government Communications Headquarters (GCHQ) and Security Service (MI5) are working with their U.S. partners—the National Security Agency and the Federal Bureau of Investigation—to further strengthen U.S.-UK collaboration on cybersecurity by establishing a joint cyber cell, with an operating presence in each country. The cell, which will allow staff from each agency to be co-located, will focus on specific cyber defense topics and enable cyber threat information and data to be shared at pace and at greater scale.

Threat Landscape and Good Practice Guide for Internet Infrastructure

European Union Agency for Network and Information Security (ENISA)

January 2015

The report details the assets composing an Internet infrastructure and classifies the threats applicable, highlighting "important specific threats" that disrupt connectivity. These include routing threats, DNS threats, and (Distributed) Denial of Service. Each threat is linked with a list of assets exposed. Overall, there is an increase in the occurrence of these threats. (64 pages)

"Joint Elements" from U.S.-EU Cyber Dialogue

U.S. State Department and European Union (EU)

December 5, 2014

U.S. and EU officials said at an inaugural cyber dialogue meeting in Belgium that they had reaffirmed numerous shared principles, including a commitment to a multistakeholder Internet governance model and international cooperation on cybersecurity. In a joint preliminary statement, the officials also reiterated their support for a 2013 United Nations Governmental Group of Experts consensus that international law applies in cyberspace just as it does on land or at sea and for the 2012 Budapest Convention, a treaty focused on international cooperation to fight cybercrime.

Cyber defence in the EU: Preparing for cyber warfare?

European Parliamentary Research Service

October 31, 2014

A number of EU member states are among those developing their capabilities, and the EU's own Defence Agency is also working on projects to augment cyber defenses in the union. The report includes summaries of EU member nations and NATO's national cyber-defense policies. (10 pages)

European Cybersecurity Implementation Series


August 26, 2014

ISACA has released the European Cybersecurity Implementation Series primarily to provide practical implementation guidance that is aligned with European requirements and good practice.

Cyber-attacks: Effects on UK

Oxford Economics

July 2014

The UK Centre for the Protection of National Infrastructure asked Oxford Economics to carry out a study of the impact of state-sponsored cyberattacks on UK firms. The study consists of the elaboration of an economic framework for cyberattacks, a survey of UK firms on cyberattacks, an event study on the impact of cyberattacks on stock-market valuations, and a series of case studies illustrating the experience of several UK firms with cyberattacks. (79 pages)

iDATA: Improving Defences Against Targeted Attack

Centre for the Protection of National Infrastructure (UK)

July 2014

The iDATA program consists of a number of projects aimed at addressing threats posed by nation-states and state-sponsored actors. iDATA has resulted in several outputs for the cybersecurity community. The document provides a description of the iDATA program and a summary of the reports. (8 pages)

U.S.-EU Cyber Cooperation

White House

March 26, 2014

The new high-level U.S.-EU Cyber Dialogue announced at the 2014 U.S.-EU Summit will formalize and broaden cooperation between the United States and the EU on cyber issues, building on shared commitments and achievements in key areas.

Legislative Resolution on the Proposal for a Directive of the European Parliament and of the Council Concerning Measures to Ensure a High Common Level of Network and Information Security Across the Union

European Parliament

March 13, 2014

The directive would require companies operating critical infrastructure to maintain a specified minimum level of cybersecurity preparedness and report to national authorities about cyberattacks with a significant impact on the security of their networks.

10 Steps to Cyber Security

UK Department for Business Innovation and Skills and the Centre for the Protection of National Infrastructure

February 4, 2014

The joint communiqué outlines steps UK regulators and government departments have agreed to undertake to improve the country's cyber systems and network defenses. Steps to combat cyberattacks include (1) assessing the state of cybersecurity across each sector and working with industry to address vulnerabilities; (2) working with industry to increase information flows on threat vulnerabilities and mitigation strategies; and (3) encouraging companies to join information-sharing initiatives. (20 pages)

Handbook on European Data Protection Law

Council of Europe

December 2013

The handbook is a first point of reference on both EU law and the European Convention on Human Rights (ECHR) on data protection, and it explains how the field of data protection is regulated under EU law and the ECHR as well as under the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108) and other council instruments. Each chapter presents a single table of the applicable legal provisions, including important selected case law under the two separate European legal systems. (214 pages)

Directive of the European Parliament and of the Council on Attacks Against Information Systems

European Parliament Civil Liberties Committee

August 12, 2013

The objectives of this directive are (1) to approximate the criminal law of EU member states in the area of attacks against information systems by establishing minimum rules concerning the definition of criminal offenses and the relevant sanctions and (2) to improve cooperation between competent authorities, including the police and other specialized law-enforcement services of member states, as well as the competent specialized-EU agencies and bodies, such as Eurojust, Europol and its European Cyber Crime Centre, and the European Network and Information Security Agency. (7 pages)

The Global Cyber Game: Achieving Strategic Resilience in the Global Knowledge Society

Defence Academy of the United Kingdom

May 8, 2013

Provides a systematic way of thinking about cyberpower and its use by a range of global players. The global cyberpower contest is framed as a global cyber game, played out on a "Cyber Gameboard"—a framework that can be used for strategic and tactical thinking about cyber strategy. (127 pages)

Defence White Paper 2013

Australia Department of Defence

May 3, 2013

The paper states that "The Australian Cyber Security Centre will bring together security capabilities from the Defence Signals Directorate, Defence Intelligence Organisation, Australian Security Intelligence Organisation, the Attorney-General's Department's Computer Emergency Response Team Australia, Australian Federal Police, and the Australian Crime Commission." (148 pages)

Cyber Security Information Partnership (CISP)

Cabinet Office, United Kingdom

March 27, 2013

CISP introduces a secure virtual "collaboration environment" in which government and industry partners can exchange information on threats and vulnerabilities in real time. CISP will be complemented by a "Fusion Cell," which will be supported on the government side by the Security Service, Government Communications Headquarters and the National Crime Agency, and industry analysts from a variety of sectors.

Defence and Cyber-Security, vol. 1 - Report, together with formal minutes, oral and written evidence

Defence and Cyber-Security, vol. 2 - Additional Written Evidence

House of Commons Defence Committee (UK)

December 18, 2012

"Given the inevitable inadequacy of the measures available to protect against a constantly changing and evolving threat ... it is not enough for the Armed Forces to do their best to prevent an effective attack. In its response to this report the Government should set out details of the contingency plans it has in place should such an attack occur. If it has none, it should say so—and urgently create some." (pages: 99 (vol. 1) and 37 (vol. 2))

Five Years after Estonia's Cyber Attacks: Lessons Learned for NATO?

North Atlantic Treaty Organization (NATO)

May 2012

In April 2007, a series of cyberattacks targeted Estonian information systems and telecommunication networks. Lasting 22 days, the attacks were directed at a range of servers (i.e., web, email, domain name systems) and routers. The 2007 attacks did not damage much of the Estonian IT infrastructure. However, the attacks were a message to NATO, offering a practical demonstration that cyberattacks could now cripple an entire nation dependent on IT networks. (8 pages)

German Anti-Botnet Initiative

Organisation for Economic Co-operation and Development (OECD)

December 8, 2009

This is a private-industry initiative that aims to ensure that customers whose personal computers have become part of a botnet without them being aware of it are informed by their ISPs about this situation and given competent support in removing the malware. (4 pages)

Source: Highlights compiled by CRS from the reports.

Note: Page counts are documents; other cited resources are web pages.

Author Contact Information

[author name scrubbed], Senior Research Librarian ([email address scrubbed], [phone number scrubbed])