Cybersecurity Issues and Challenges V. 1

1 1 (January 10, 2017)

$handle is hein.crs/govcayz0001 and id is 1 raw text is: F. , ' iE ,E .$r . i , Cybersecurity Issues and Challenges - mon go mppm qq\ , q I aS 11LULANJILiN, Updated January 10, 2017 Information and communications technology (ICT) is ubiquitous and continually evolving. It is increasingly integral to modern society. ICT devices and components form a highly interdependent system of networks, infrastructure, and resident data known as cyberspace. The process of protecting cyberspace from attacks by criminals and other adversaries is called cybersecurity. The risks associated with any such attack depend on three factors: threats (who is attacking), vulnerabilities (what weaknesses they are attacking), and impacts (how the attack affects the victims). What are the threats? People who perform cyberattacks generally fall into one or more of five categories: criminals intent on monetary gain from crimes such as theft or extortion; spies involved in espionage-stealing classified or proprietary information used by government or private entities; nation-state adversaries who develop capabilities and undertake cyberattacks in support of a country's strategic objectives; hacktivists who perform cyberattacks for nonmonetary reasons; and terrorists who engage in cyberattacks as a form of non-state or state- sponsored warfare. What are the vulnerabilities? Attackers and defenders are engaged in a cybersecurity arms race. Attackers constantly probe ICT systems for weaknesses. Defenders can often protect against them, but three are particularly challenging: inadvertent or intentional acts by insiders with access to a system; supply chain vulnerabilities, which can permit the insertion of malicious software or hardware during development or acquisition; and previously unknown, or zero-day, vulnerabilities with no established fix. What are the impacts? A successful attack can compromise the confidentiality, integrity, and availability of an ICT system, the information it handles, and things to which it is connected. Cybertheft or cyberespionage can result in exfiltration of financial, proprietary, or personal information from which the attacker can benefit, often without the knowledge of the victim. Denial-of-service attacks can slow or prevent legitimate users from accessing a system. Botnet malware can give an attacker command of a network of zombie computers or devices for use in cyberattacks on other systems. Attacks on industrial control systems can result in the destruction of the equipment they control, such as generators, pumps, and centrifuges. Most cyberattacks have limited impacts, but a successful attack on some components of critical infrastructure (CI)- most of which is held by the private sector-could have significant effects on national security, the economy, and the livelihood and safety of individual citizens. Thus, a rare successful attack with high impact can pose a larger risk than a common successful attack with low impact. Reducing the risks from cyberattacks usually involves (1) removing the threat source, e.g., by closing down botnets or reducing incentives for cybercriminals; (2) addressing vulnerabilities by hardening ICT assets, e.g., by patching software and training employees; and (3) lessening impacts by mitigating damage and restoring functions, e.g., by having back-up resources available for continuity of operations in response to an attack. The federal role in cybersecurity involves both securing federal systems and assisting in protecting nonfederal systems. All federal agencies are responsible for protecting their own systems, and many have sector-specific responsibilities for CI. More than 50 statutes address various aspects of cybersecurity, and several new laws were enacted in the 113th and 114th Congresses. Figure I. Federal Agency Roles in Cybersecurity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . P &E), ~ ..ss. ec.. Y .................. ......... .. .. .. .. .. .. .. .. .. .. .. .. .. . .. . . . . . . . . . . . . . . . . ite t~j .. .. . .. .. ..$.. . .. . .0.. . .. . .. . .. . .. . .........M I...T .. . . .. . . .. . . . . . . . . . .. . . . . . ...........D~4 . . . . . . . . . .... .L.... V a.......... agendis~..............r Vi~t ..........~S ................. ........... ............... ........... ......... .......... .... .............................. ........ ................................. .............. ........... \- , Source: CRS. Notes: DHS: Department of Homeland Security; DOD: Department of Defense; DOJ: Department of Justice; FISMA: the Federal Information Security Modernization Act; IC: Intelligence Community; NIST: National Institute of Standards and Technology; NSA: National Security Agency; NSS: National Security Systems; OMB: Office of Management and Budget; R&D: Research and development. Figure 1 is a simplified schematic diagram of major agency responsibilities in cybersecurity. In general, NIST develops FISMA standards that apply to federal civilian ICT, and .O 'T$

What Is HeinOnline?

HeinOnline is a subscription-based resource containing thousands of academic and legal journals from inception; complete coverage of government documents such as U.S. Statutes at Large, U.S. Code, Federal Register, Code of Federal Regulations, U.S. Reports, and much more. Documents are image-based, fully searchable PDFs with the authority of print combined with the accessibility of a user-friendly and powerful database. For more information, request a quote or trial for your organization below.

Short-term subscription options include 24 hours, 48 hours, or 1 week to HeinOnline.

Purchase Access

Already a HeinOnline Subscriber?

Log In

profiles profiles most

What Is HeinOnline?

Purchase Access

Log In

NEED HELP?

CONTACT US

Get started

Subscribe to our Newsletter